Home Decisions

Decision 010/2023

Decision 010/2023: Health care staff rota

Authority: Forth Valley Health Board
Case Ref: 202101100

Summary

The Applicant asked the Authority for a copy of a staff rota.  The Authority provided the rota with personal data redacted.  The Commissioner found that the Authority had been entitled to refuse to disclose the personal data.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2A), (5) (definitions of “data protection principles”, “data subject”,” personal data”, “processing” and “UK GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner)

United Kingdom General Data Protection Regulation (the UK GDPR) articles 4(1) (definition of "personal data"); 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (10) and (14)(a), (b) and (c) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 19 June 2021, the Applicant made a request for information to the Authority.  He asked for:

“The staff rota for health care staff for the week beginning February 22 until February 25 2021. I would like this to include any staff members absent, late or on holiday.  Even staff members who were on shift but sent elsewhere to other establishments etc.” 

2. The Authority responded on 19 July 2021 and provided the Applicant with a table with the numbers of staff on duty for each of the days, and the number on annual leave and on sick leave for the timeframe.  

3. On 22 July 2021, the Applicant wrote to the Authority requesting a review of its decision.  The Applicant stated that he was dissatisfied with the decision because he was not provided with what he had asked for: he had asked for a staff rota, not just the numbers of staff on duty, or on sick or annual leave. He stated that the information provided by the Authority only told him how many staff were on duty, on leave or sick.

4. The Authority notified the Applicant of the outcome of its review on 19 August 2021. The Applicant was provided with a table with containing the redacted job titles of the staff members. 

5. On 2 September 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. He stated that he was dissatisfied with the outcome of the Authority’s review because he wanted to be able to identify the staff members. 

Investigation

6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation. 

7. On 21 September 2021, the Authority was notified in writing that the Applicant had made a valid application.  The Authority was asked to send the Commissioner the information withheld from the Applicant. The Authority provided this information and the case was allocated to an investigating officer. 

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Authority was invited to comment on this application and to answer specific questions. These related to its decision to withhold information under section 38(1)(b) of FOISA.

9. The investigating officer sought comments from both the Authority and the Applicant. Both the Authority and the Applicant provided comments. 

Commissioner’s analysis and findings

10. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.  

Section 38(1)(b) – Personal Information

11. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is “personal data“ (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR. 

12. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

Is the information personal data?

13. The first question the Commissioner must address is whether the information withheld by the Authority under this exemption is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable living individual. 

14. Information will "relate to" a person if it is about them, is linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus. 

15. The information being withheld by the Authority is part of the staff rota for the period of time specified by the request.  The Authority’s review did supply to the Applicant a redacted rota with information showed the working hours of all individual staff (arranged by team), and with indication of leave. 

16. The Commissioner is satisfied that the information withheld under section 38(1)(b) is personal data: the information, consisting of job titles and dates when on duty, and other information, could identify living individuals and clearly relates to them. 

Would disclosure contravene one of the data protection principles? 

17. The Authority argued that disclosure would breach the data protection principle in Article 5(1)(a) of the UK GDPR. Article 5(1) states that personal data shall be processed “lawfully, fairly and in a transparent manner in relation to the data subject.” 

18. "Processing" of personal data is defined in section 3(4) of the DPA 2018. It includes (section 3(4)(d)) disclosure by transmission, dissemination or otherwise making available personal data. The definition therefore covers disclosing information into the public domain in response to a FOISA request. 

19. The Commissioner must consider whether disclosure of the personal data would be lawful. In considering lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow the data to be disclosed. 

20. The Commissioner considers that condition (f) in Article 6(1) is the only condition which could potentially apply in the circumstances of this case. 

Condition (f): legitimate interests 

21. Condition (f) states that processing shall be lawful if it - 

is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. 

22. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA. 

23. The three tests which must be met before Article 6(1)(f) are as follows (see paragraph 18 of South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55   - although this case was decided before the GDPR (and UK GDPR) came into effect, the relevant tests are almost identical):

(i) does the Applicant have a legitimate interest in the personal data? 

(ii) if so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

(iii) even if the processing would be necessary to achieve the legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects which require protection of personal data (in particular where the data subject is a child)? 

Does the Applicant have a legitimate interest in obtaining the personal data? 

24. The Applicant provided background information for the reason for his request and explained why he was dissatisfied with the Authority’s response.  The Applicant stated that he required the names of the staff members to assist with the understanding of an incident that he had been involved in. He stated that disclosure of the names to him would assist him in pursuing this matter and referred to other requests he had made to the Authority for similar, related information. He explained that the Authority had refused to investigate his concerns. 

25. The Authority submitted that the Applicant did not have a legitimate interest in this information. It commented that the Applicant’s motivation for requesting this information was in relation to an incident/allegation. The Authority said that other recorded information which the Applicant had requested – not in the present request – was not in fact held by the Authority and the present request was (the Authority suggested) for information that could be used as supporting evidence together with the previously requested information (an incident report) in an effort by the Applicant to refute the allegation. As the incident report did not exist, which the Applicant had been made aware of, the Authority did not consider that the Applicant has a legitimate interest in receiving the unredacted staff rota.

26. The Commissioner accepts that, in the circumstances, the Applicant has a legitimate interest in the personal data.  The Applicant has a concern – and the Commissioner makes no comment or finding about that concern or an allegation related to it – relating to the staff on duty at a certain time.  In as much as a rota would convey this it could be said to be of interest to the Applicant. The Commissioner does not find that in this instance there is a wider interest in understanding the staff rota for that particular period of time. 

Is disclosure necessary to achieve that legitimate interest? 

27. Here, “necessary” means “reasonably” rather than absolutely or strictly necessary. The Commissioner must therefore consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the Applicant’s legitimate interests can be met by means which interfere less with the privacy of the data subjects (the staff members). 

28. The Authority argued that the data subjects would not expect their personal data to be released into the public domain. While the data subjects were not specifically asked for their consent to disclosure, the Authority stated that the withholding of their identities was to protect their confidentiality.

29. It should be noted that, if the information the Applicant has requested is disclosed in response to a FOISA request, it is, in effect, disclosed into the public domain. 

30. The Commissioner is satisfied that, although the Applicant has a legitimate interest in the personal data, disclosure is not necessary to achieve that legitimate interest. 

31. The Commissioner notes the Applicant’s reasons for considering that the names of those on duty should be disclosed and he has accepted that the Applicant has a legitimate interest inasmuch as he has concerns about an incident/allegation involving him and staff. However, the Applicant has not provided any argument why he considers that it is necessary for him to know the actual names of all the individuals and their times of work for that period in order for him to achieve this legitimate interest. 

32. The Applicant in his application referred to information that would be found in a medical file or a letter sent by the Authority to a person, and commented that such information – for example, names of Authority staff – would be contained therein and could be seen by the recipient. The Applicant also submitted that staff would wear name badges that would identify them. Similarly, in the specific Health centre in question the Applicant said that there was a board affixed to the wall with a list of staff on duty.  

33. However, it must be noted that information available in the ways suggested by the Applicant differs from information disclosed under FOISA which is, as stated above regarded, as being put into the public domain.  

34. In the circumstances of this case, however, the Commissioner considers it is possible to pursue any concerns about the treatment received by a member of the Authority’s staff without the disclosure under FOISA of the Authority’s full rota for that time period.  

35. In the absence of a condition in Article 6 of the UK GDPR which would allow the names of the staff members to be disclosed lawfully, disclosure would breach Article 5 of the UK GDPR. The names are, therefore, exempt from disclosure under section 38(1)(b) of FOISA 

Decision 

The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement 

14 February 2023

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions 

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that – 

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption – 

(e) in subsection (1) of section 38 – 

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

38 Personal information 

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in – 

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018; 

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

47 Application for decision by Commissioner

(1) A person who is dissatisfied with -

(a) a notice under section 21(5) or (9); or

(b) the failure of a Scottish public authority to which a requirement for review was made to give such a notice.

may make application to the Commissioner for a decision whether, in any respect specified in that application, the request for information to which the requirement relates has been dealt with in accordance with Part 1 of this Act.

(2) An application under subsection (1) must - 

(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used for subsequent reference (as, for example, a recording made on audio or video tape);

(b) state the name of the applicant and an address for correspondence; and

(c) specify – 

    (i) the request for information to which the requirement for review relates;

    (ii) the matter which was specified under sub-paragraph (ii) of section 20(3)(c);    and

    (iii_ the matter which gives rise to the dissatisfaction mentioned in subsection (1).

    …

UK General Data Protection Regulation 

4 Definitions

For the purpose of this Regulation:

1 ‘Personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

5 Principles relating to processing of personal data 

1 Personal data shall be:

    a. processed lawfully, fairly and in a transparent manner in relation to the data subject         (“lawfulness, fairness and transparency”)

    …

6 Lawfulness of processing 

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

    …

    f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.


Data Protection Act 2018

3 Terms relating to the processing of personal data 

    …

    (2) “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

    (3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to – 

        (a) an identifier such as a name, an identification number, location data or an  online identifier, or

        (b) one or more factors specific to the physical, physiological, genetic, mental,  economic, cultural or social identity of the individual.

    (4) “Processing”, in relation to information, means an operation or set of operations             which is performed on information, or on sets of information, such as – 

        …

        (d) disclosure by transmission, dissemination or otherwise making available,

        …

(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

(14) In Parts 5 to 7, except where otherwise provided – 

    (a) references to the UK GDPR are to the UK GDPR read with Part 2;

    …

(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;

(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.