Home Decisions

Decision 016/2023

Decision 016/2023: Name of adviser

Authority: Scottish Public Services Ombudsman
Case Ref: 202201009


Summary

The Applicant asked the Authority for the name of the nurse who advised it on a complaint he had made.  The Authority notified him that the name was exempt from disclosure.  The Commissioner agreed.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 26(a) (Prohibitions on disclosure); 30(c) (Prejudice to effective conduct of public affairs); 38(1)(b), (2A), (5) (definitions of “the data protection principles”, “data subject”, “personal data”, “processing” and “the UK GDPR”, (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner); 49(3)(a) (Commissioner’s decision)

United Kingdom General Data Protection Regulation (the UK GDPR) articles 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (10) and 14 (a), (c) and (d) (Terms relating to the processing of personal data)

Scottish Public Services Ombudsman Act 2002 (the SPSO Act): sections 12 (Investigation procedure) and 19 (Confidentiality of information)

Nursing and Midwifery Order 2001 (the 2001 Order): article 25(1) (Council’s power to require disclosure of information)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 14 August 2022, the Applicant made a request for information to the Authority.  He asked for the name of the adviser who provided advice on a complaint he had made to the Authority and asked whether the adviser was a nurse or doctor.  

2. The Authority responded on 16 August 2022.  It gave the Applicant some information about the adviser’s qualifications and confirmed the adviser was a nurse, but refused to disclose the name of the adviser under various exemptions in Part 2 of FOISA. 

3. On 18 August 2022, the Applicant wrote to the Authority requesting a review of its decision.  The Applicant disagreed that the exemptions applied.  He told the Authority that he needed the name and registration number of the nurse in question so that he could make a formal complaint to the Nursing and Midwifery Council (the NMC).

4. The Authority notified the Applicant of the outcome of its review on 13 September 2022.  It confirmed its original decision and referred the Applicant to Decision 112/2019 in which the Commissioner had found that the Authority had been entitled to withhold the name of a social work adviser on the basis that the Authority was prohibited from disclosing the name.

5. Later that day, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  He remained dissatisfied with the outcome of the review. 

Investigation

6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation. 

7. On 18 October 2022, in line with section 49(3)(a) of FOISA, the Commissioner gave the Authority notice in writing of the application and invited its comments.  

8. The Authority was also asked to send the Commissioner the name of the nurse in question. The Authority did this.

9. The case was allocated to an investigating officer.

10. The Applicant made submissions to the Commissioner about the case.  He was also given, and took, the opportunity to answer specific questions about the case.

Commissioner’s analysis and findings

11. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.  

Scope of investigation 

12. In his request for review and application, the Applicant stated that he needed the nurse’s registration (PIN) in order to make a complaint to the NMC.  However, the request made by the Applicant did not ask for the nurse’s registration number.  Therefore, the Commissioner cannot consider whether the Authority should have disclosed this to the Applicant.  

13. In any event, the Commissioner understands that, if the Applicant had the name of the nurse, he could find out the registration number from searching the NMC’s website.  

Section 38(1)(b) (Personal information)

14. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A), exempts information from disclosure if it is “personal data” (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR. 

15. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption.  This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

16. In order to rely on this exemption, the Authority must show that the information being withheld (the name of the nurse) is personal data for the purposes of section 3(2) of the DPA 2018 and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Article 5(1) of the GDPR. 

17. The definition of “personal data” is set out in full in Appendix 1.)  The two main elements of personal data are that:

(i) the information must “relate to” a living person; and

(ii) the living individual must be identifiable. 

18. Information will “relate to” a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them or has them as its main focus.

19. An “identifiable living individual” is one who can be identified, directly or indirectly, by reference to an identifier (such as a name) or one or more factors specific to the individual (see section 3(3) of the DPA 2018). 

20. The Applicant asked for the name of the person who advised the Authority on his complaint.  The Commissioner is satisfied that the name of the nurse is personal data – it clearly relates to the nurse as a living individual and the nurse would be identified or identifiable if the name were disclosed into the public domain.

21. Article 5(1)(a) of the GDPR requires personal data to be processed “lawfully, fairly and in a transparent manner in relation to the data subject.” 

22. The definition of “processing” is wide and includes (section 3(4)(d) of the DPA 2018) “disclosure by transmission, dissemination or otherwise making available.”  In the case of FOISA, personal data are processed when disclosed in response to a request.  

23. Personal data can only be disclosed if disclosure would be both:

  • lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the GDPR) and 
  • fair.

24. The Authority stated that it could not identify a lawful basis for disclosure and that disclosure would therefore contravene Article 5(1)(a) of the GDPR.  

25. The Commissioner must consider if disclosure of the personal data would be lawful.  In considering lawfulness, he must consider whether any of the conditions in Article 6(1) of the GDPR would allow the personal data to be disclosed.  The Authority considered whether Article 6(1)(f) could apply in this case.  (The Commissioner accepts that this is the only condition which could potentially apply in this case.)

26. Condition (f) states that processing will be lawful if it “…is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data …”. 

27. Although Article 6 states that this condition cannot apply to processing carried out by public authorities in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

28. The tests which must be met before Article 6(1)(f) can be met are as follows:

(i) Does the Applicant have a legitimate interest in obtaining the name of the nurse?

(ii) If so, would the disclosure of the name be necessary to achieve that legitimate interest?

(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the nurse?

29. There is no presumption in favour of the disclosure of personal data under the general obligation laid down by section 1(1) of FOISA.  Accordingly, the legitimate interests of the Applicant must outweigh the rights and freedoms or legitimate interests of the nurse before condition (f) will permit the personal data to be disclosed.  If the two are evenly balanced, the Commissioner must find that the Authority was correct to refuse to disclose the name to the Applicant.

30. The Authority recognised that there may be some value in disclosing the name of the adviser to the Applicant.  It noted that the Applicant told it he wanted the name so that he can complain to the MWC.  The Authority also recognised the wider legitimate interests in scrutinising how it makes decisions.  

31. In the circumstances, the Commissioner is satisfied that the Applicant does have a legitimate interest in obtaining the name of the nurse.  The nurse gave advice to the Authority in relation to a complaint by the Applicant which he clearly disagrees with.  He wants the name of the nurse to allow him to make a complaint to the NMC.

32. Having accepted that the Applicant has a legitimate interest in the personal data, the Commissioner must consider whether disclosure of the personal data is necessary to achieve that legitimate interest.  

33. “Necessary” means “reasonably” rather than “absolutely” or “strictly” necessary.  When considering whether disclosure would be necessary, the Commissioner must consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the Applicant’s legitimate interests can be met by means which interfere less with the privacy of the nurse.

34. The Applicant advised the Commissioner on 20 October 2022 that the NMC can compel employers to provide evidence.  (The Commissioner notes that, under article 25(1) of the 2001 Order – see Appendix 1 – the NMC has the power to require a person to disclose information to it.)  

35. During a telephone call with the NMC on 14 December 2022, the NMC also confirmed that a referral could be made to it without a name or PIN being provided.

36. In the circumstances, the Commissioner is not satisfied that disclosing the name of the nurse into the public domain (which, as noted above, is the effect of a disclosure under FOISA) is necessary to achieve the Applicant’s legitimate interest, i.e. to refer his concerns to the NMC.

37. Given this finding, the Commissioner will not go on to consider whether the rights of the nurse outweigh the Applicants legitimate interest.

38. Consequently, in the absence of a condition in Article 6(1) of the UK GDPR which would allow the name to be disclosed, the Commissioner must find that disclosure of the name would be unlawful.

39. Given the Commissioner’s finding that processing would be unlawful, he is not required to go on to consider separately whether disclosure of the personal data would otherwise be fair or transparent in relation to the data subjects. 

40. Given that disclosing the name would contravene Article 5(1)(a) of the UK GDPR, the Commissioner is satisfied that the name is exempt from disclosure under section 38(1)(b) of FOISA.

Section 26(a) – Prohibitions on disclosure

41. Under section 26(a) of FOISA, information is exempt from disclosure where disclosure of the information is prohibited by or under an enactment.  This is an absolute exemption, in that it is not subject to the public interest test set down in section 2(1)(b) of FOISA.  In this case, the Authority argued that such a prohibition was created by sections 12 and 19 of the SPSO Act (see Appendix 1). 

42. Section 19(1) of the SPSO Act states that information obtained by the Authority, or any of its advisers, in connection with any matter in respect of which a complaint or a request has been made, must not be disclosed except for a limited range of purposes specified elsewhere in section 19 (again, see Appendix 1 for details).  These purposes do not include disclosure of information into the public domain under FOISA. 

43. The Authority confirmed that the adviser’s information had been obtained specifically for the purpose of obtaining independent nursing advice on the Applicant’s complaint.  Information about the adviser was obtained in connection with the complaint.  In the Authority’s view, the nature of the Applicant’s complaint to it also constitutes information obtained – this could be deduced from the identity of the adviser for the case if the adviser’s identity was disclosed.

44. The Authority also referred to Decision 112/2019, referred to in paragraph 4 above.

45. The Applicant disagreed that section 19 of the SPSO Act was a prohibition on disclosure for the purposes of section 26(a) of FOISA.  He also questioned the Authority’s reference to Decision 112/2019, noting that one decision could not set a precedent.  

46. In the circumstances, the Commissioner accepts that the name of the adviser is information of a description covered by section 19(1) of the SPSO Act, i.e. information obtained by the Authority or its advisers in connection with any matter in respect of which a complaint or a request has been made.   He also accepts, as he has in a number of previous decisions, that section 19(1) creates a prohibition on the disclosure of information that engages section 26(a) of FOISA. 

47. The Commissioner therefore accepts that the SPSO was entitled to apply the exemption in section 26(a) of FOISA to withhold the name requested by the Applicant.  

48. In reaching this conclusion, he has not found it necessary to consider section 12 of the SPSO Act as well as section 19.

Section 30(c) – Prejudice to effective conduct of public affairs 

49. The Authority also argued that the name was exempt from disclosure under section 30(c) of FOISA.  Given that the Commissioner has already found the name to be exempt from disclosure under the exemptions in section 26(a) and 38(1)(b) of FOISA, he does not intend to go on to consider the exemption in section 30(c).

Decision 

The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Daren Fitzhenry
Scottish Information Commissioner

22 February 2023

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”

(6) This section is subject to sections 2, 9, 12 and 14.

26 Prohibitions on disclosure

Information is exempt information if its disclosure by a Scottish public authority (otherwise than under this Act)-

(a) is prohibited by or under an enactment;

(b) is incompatible with a Community obligation; or

30 Prejudice to effective conduct of public affairs

Information is exempt information if its disclosure under this Act-

(c) would otherwise prejudice substantially, or be likely to prejudice substantially, the effective conduct of public affairs.

3 Personal information 

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

 (5)     In this section-

"the data protection principles" means the principles set out in – 

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018; 

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

47 Application for decision by Commissioner

(1) A person who is dissatisfied with -

(a) a notice under section 21(5) or (9); or

(b) the failure of a Scottish public authority to which a requirement for review was made to give such a notice.

may make application to the Commissioner for a decision whether, in any respect specified in that application, the request for information to which the requirement relates has been dealt with in accordance with Part 1 of this Act.

(2) An application under subsection (1) must - 

(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used for subsequent reference (as, for example, a recording made on audio or video tape);

(b) state the name of the applicant and an address for correspondence; and

(c) specify – 

    (i) the request for information to which the requirement for review relates;

    (ii) the matter which was specified under sub-paragraph (ii) of section 20(3)(c);  and

    (iii) the matter which gives rise to the dissatisfaction mentioned in subsection (1).

49 Commissioner’s decision 

(3) In any other case, the Commissioner must - 

(a) give that authority notice in writing of the application and invite its comments; …

UK General Data Protection Regulation

Article 5 Principles relating to processing of personal data 

1    Personal data shall be:

    a. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)

    …

Article 6 Lawfulness of processing 

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

    …

    f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Data Protection Act 2018

3 Terms relating to the processing of personal data 

    …

    (2) “Personal data” means any information relating to an identified or identifiable living         individual (subject to subsection (14)(c)).

    (3) “Identifiable living individual” means a living individual who can be identified, directly         or indirectly, in particular by reference to – 

        (a) an identifier such as a name, an identification number, location data or an             online identifier, or

        (b) one or more factors specific to the physical, physiological, genetic, mental,             economic, cultural or social identity of the individual.

    (4) “Processing”, in relation to information, means an operation or set of operations             which is performed on information, or on sets of information, such as – 

        …

        (d) disclosure by transmission, dissemination or otherwise making available,

        …

(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

(14) In Parts 5 to 7, except where otherwise provided – 

    (a) references to the UK GDPR are to the UK GDPR read with Part 2;

    …

(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;

(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies. 

Scottish Public Services Ombudsman Act 2002

12 Investigation procedure  

(1) An investigation under section 2 must be conducted in private. 

(2) Where the investigation is pursuant to a complaint, the Ombudsman must give— 

    (a) the listed SPSO in question, and 

(b) any other person who is alleged in the complaint to have taken the action      complained of, 

an opportunity to comment on any allegations contained in the complaint. 

(3) In other respects the procedure for conducting the investigation is to be such as the Ombudsman thinks fit. 

(4) The Ombudsman may, in particular—

(a) obtain information from such persons and in such manner, and make such inquiries, as the Ombudsman thinks fit,

(b) determine whether any person may be represented, by counsel or solicitor or otherwise, in the investigation. 

(5) The Ombudsman may pay to— 

(a) the person by whom the complaint was made (where an investigation is pursuant to a complaint), and 

(b) any other person who attends or supplies information for the purposes of an investigation (whether or not pursuant to a complaint), 

such allowances in respect of expenses properly incurred by the person and by way of compensation for loss of time as the Parliamentary corporation may determine.

(6) The conduct of an investigation does not affect— 

(a) any action taken by the listed SPSO in question, 

(b) any power or duty of the listed SPSO to take further action with respect to any matter being investigated.

(7) Any reference in subsections (2)(a) and (6)(a) and (b) to the listed SPSO in question or to the listed SPSO includes, in relation to an investigation following a complaint, references to a listed SPSO— 

(a) which is not mentioned in the complaint, but 

(b) whose action is investigated by the Ombudsman in connection with the investigation.

19 Confidentiality of information

    (1) Information obtained by the Ombudsman or any of the Ombudsman's advisers in connection with any matter in respect of which a complaint or a request has been made must not be disclosed except for any of the purposes specified in subsection (2) or as permitted by subsection (3).

    (2) Those purposes are – 

        (a) the purposes of – 

            (i) any consideration of the complaint or request (including any statement under section 11),

            (ii) any investigation of the matter (including any report of such an investigation),

        (b) the purposes of any proceedings for – 

            (i) an offence under the Official Secrets Acts 1911 to 1989 alleged to have been committed in respect of information obtained by the Ombudsman,

            (ii) an offence of perjury alleged to have been committed in the course of any investigation of the matter,

        (c) the purposes of an inquiry with a view to the taking of any of the proceedings mentioned in paragraph (b),

        (d) the purposes of any proceedings under section 14,

        (e) where subsection (2A) applies, the purposes of a welfare fund review.

    (2A)     This subsection applies if –

        (a) the matter in respect of which the complaint or request has been made relates to an exercise of a function by a local authority on an application to receive assistance in pursuance of section 2 of the 2015 Act, and

        (b) the welfare fund review relates to the decision made by the authority on that application. 

    (2B)     Information obtained by the Ombudsman or any of the Ombudsman’s advisers in connection with a welfare fund review must not be disclosed except for any of the purposes specified in subsection (2C) or as permitted by subsection (3).

    (2C)    Those purposes are – 

        (a) the purposes of the review,

        (b) the purposes of any proceedings for – 

            (i) an offence under the Official Secrets Acts 1911 to 1989 alleged to have been committed in respect of information obtained by the Ombudsman,

            (ii) an offence of perjury alleged to have been committed in the course of the review,

        (c) the purposes of an inquiry with a view to the taking of any of the proceedings mentioned in paragraph (b),

        (d) where subsection (2D) applies, the purposes of any consideration of a complaint or request in respect of a matter, or the investigation of the matter.

    (2D)    This subsection applies if – 

        (a) the matter in respect of which the complaint or request has been made relates to an exercise of a function by a local authority on an application to receive assistance in pursuance of section 2 of the 2015 Act, and 

        (b) the welfare fund review relates to the decision made by the authority on that application.

    (3) Where information referred to in subsection (1) or (2B) is to the effect that any person is likely to constitute a threat to the health or safety of individuals (in particular or in general), the Ombudsman may disclose the information to any person to whom the Ombudsman thinks it should be disclosed in the interests of the health or safety of the particular individuals or, as the case may be, individuals in general.

    (4) In relation to information disclosed under subsection (3), the Ombudsman must-

        (a) where the Ombudsman knows the identity of the person to whom the information relates, inform that person of the disclosure of the information and of the identity of the person to whom it has been disclosed, and

        (b) inform the person from whom the information was obtained of the disclosure.

    (4A) The duty under subsection (4)(a) to inform a person about the identity of a person to whom information has been disclosed does not apply where informing the former person is likely to constitute a threat to the health and safety of the latter person.

    (5) It is not competent to call upon the Ombudsman or the Ombudsman's advisers to give evidence in any proceedings (other than proceedings referred to in subsection (2)) of matters coming to the knowledge of the Ombudsman or advisers in connection with any matter in respect of which a complaint or request has been             made.

    (5A) It is not competent to call upon the Ombudsman or the Ombudsman's advisers to give evidence in any proceedings (other than proceedings referred to in subsection (2C)) of matters coming to the knowledge of the Ombudsman or advisers in connection with a welfare fund review.

    (6) A member of the Scottish Executive may give notice in writing to the Ombudsman with respect to – 

        (a)    any document or information specified in the notice, or

        (b)    any class of document or information so specified, 

        that, in the opinion of the member of the Scottish Executive, the disclosure of the document or information, or of documents or information of that class, would be contrary to the public interest.

    (7) Where such a notice is given nothing in this Act is to be construed as authorising or requiring the Ombudsman or any of the Ombudsman's advisers to communicate to any person or for any purpose any document or information specified in the notice, or any document or information of a class so specified.

    (8) Information obtained from - 

        (a)    the Information Commissioner by virtue of section 76 of the Freedom of Information Act 2000 (c.36)

        (b)     the Scottish Information Commissioner by virtue of section 63 of the Freedom of Information (Scotland) Act 2002 (asp 13), is to be treated for the purposes of subsection (1) as obtained in connection with any matter in                 respect of which a complaint or request has been made.

    (9) In relation to such information, subsection (2)(a) has effect as if-

        (a)    the reference in sub-paragraph (i) to the complaint or request were a reference to any complaint or request, and

        (b)    the reference in sub-paragraph (ii) to the matter were a reference to any matter.

    (10) In this section and section 20 references to the Ombudsman's advisers are to persons from whom the Ombudsman obtains advice under paragraph 10 of schedule 1.

Nursing and Midwifery Order 2001

25 Council’s power to require disclosure of information 

(1) For the purpose of assisting the Council, any of its Practice Committees, the Registrar or any other officer of the Council in carrying out functions in respect of fitness to practise, a person authorised by the Council may require any person (other than the person concerned) who in his opinion is able to supply information or produce any document which appears relevant to the discharge of any such function, to supply such information or produce such a document.