Home Decisions

Decision 017/2022

Decision 017/2022: Multi-Agency Risk Assessment Conference (MARAC) data controllers

Public authority:  Highland Health Board
Case Ref:  202100447

Summary

NHS Highland was asked for the data controller(s) recorded for specific Multi-Agency Risk Assessment Conferences (MARACs).  NHS Highland disclosed some information and gave some explanations.  The Applicant remained dissatisfied, believing the information to be incomplete.

The Commissioner investigated and found that NHS Highland did hold further information falling within the scope of the request.  He required NHS Highland to provide a revised review outcome to the Applicant.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (4) (General entitlement); 17(1) (Notice that information is not held)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision.  The Appendix forms part of this decision.

Background

1. On 7 February 2021, the Applicant made a request for information to Highland Health Board (NHS Highland).  The information requested under FOISA was- 
… the Data Controller (or Data Controllers) that are recorded by NHS Highland Board for the following Multi-Agency Risk Assessment Conferences (MARACs):

 Highlands: Caithness and Sutherland

 Highlands: Inverness, Badenoch, Strathspey and Nairn

 Highlands: Lochaber

 Highlands and Islands: Orkney

 Highlands: Ross-shire and Skye

 Highlands and Islands: Shetland

 Highland and Islands: Western Isles

2. NHS Highland responded on 9 March 2021, stating that the information sought was not recorded in the manner requested.  It explained that each of the MARAC partner agencies was a data controller in its own right.  NHS Highland informed the Applicant, in terms of section 17 of FOISA, that it did not hold the information requested.

3. On 10 March 2021, the Applicant wrote to NHS Highland requesting a review of its decision as he was dissatisfied with its response.  He referred to the Commissioner’s Decision 092/2019  which, he argued, made clear that a multi-agency meeting or group was not a single legal entity and, therefore, the NHS Highland’s data controller (should NHS Highland be registered with a protection reference number) or any other single organisation could not be the data controller for an entity with no legal character.  In his view, NHS Highland’s section 17(1) response implied it had absolved itself of statutory data protection responsibilities.

4. The Applicant commented that when sharing “sensitive” data between data controllers (as occurs at a MARAC) there should be a valid data protection impact assessment (DPIA) in place to confirm compliance with data protection legislation.  Further, prior to such sharing, an information sharing agreement (ISA) and/or appropriate policy document (APD) should be in place to ensure its lawfulness.

5. The Applicant believed that NHS Highland should be able to provide the full list of data controllers (including itself, with its ICO-registered data protection reference number) with whom it shared data.  In his view, failure to do so indicated that NHS Highland was sharing data with other data controllers unlawfully, in breach of data protection legislation, and that the DPIA and ISA/APD were not in place.  He asked NHS Highland to provide the full and exhaustive list of data controllers who had participated in MARACs involving NHS Highland, or to verify its section 17(1) response.  If NHS Highland had no involvement in the MARAC process, then this information could be provided.

6. NHS Highland notified the Applicant of the outcome of its review on 7 April 2021, upholding its original decision that no information was held.  It stated that a MARAC was not a legal entity in its own right and that each agency would have its own data controller who governed information sharing.  It further explained that information shared at a MARAC did not belong to the MARAC: it was the responsibility of each agency to ensure that information shared was compliant with data protection legislation.

7. NHS Highland’s understanding of the Applicant’s request was to detail the data controller(s) recorded by NHS Highland for the MARACs listed in the request.  It provided what it considered to be the information requested (namely the relevant NHS Board as being the data controller for each area listed in the request).

8. On 7 April 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA as he was dissatisfied with the outcome of NHS Highland’s review.  He understood that the guidance document for multi-agency working dated from May 2014.  Given that all the data controllers present at the MARACs listed in his request were not recorded by NHS Highland and provided in response to his initial request (where a section 17(1) notice was given), he argued that logically NHS Highland could not have recorded a DPIA, ISA and APD for the data sharing, otherwise the information requested would have been recorded and could have been provided in response to his request.

9. The Applicant further argued that no information was provided for the other data controllers with whom NHS Highland shared special category and criminal offence data.  He asked the Commissioner to challenge NHS Highland to disclose the other data controllers with whom it shared the personal data of data subjects without their consent, in the absence of a valid DPIA, ISA and APD.  If NHS Highland had no record of the other data controllers with whom it shared special category or criminal offence data at a MARAC, he asked the Commissioner to require NHS Highland to issue a section 17(1) notice stating it did not have this information, which, in his view, would indicate that NHS Highland was breaching data protection legislation and had been doing so since 25 May 2018.

Investigation

10. The application was accepted as valid.  The Commissioner confirmed that the Applicant had made a request for information to a Scottish public authority and had asked the authority to review its response to that request before applying to him for a decision.

11. On 26 April 2021, NHS Highland was notified in writing that the Applicant had made a valid application and the case was subsequently allocated to an investigating officer.

12. The investigating officer noted that, in his application to the Commissioner, the Applicant had commented on NHS Highland’s alleged failure to provide information for other data controllers with whom it shared special category and criminal offence data, and for other data controllers with whom it shared personal data without the consent of data subjects.  These issues did not form part of the Applicant’s original information request, which essentially asked for the data controller(s) recorded by NHS Highland for the MARACs listed in his request, and so the Commissioner has no locus to consider these additional matters within the scope of this investigation.  The Applicant was informed of this at the start of the investigation.

13. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  NHS Highland was invited to comment on this application and to answer specific questions.  These focused on whether NHS Highland held any further information falling within the scope of the Applicant’s original information request.

14. NHS Highland provided submissions to the Commissioner.

Commissioner’s analysis and findings

15. In coming to a decision on this matter, the Commissioner has considered all of the relevant submissions, or parts of submissions, made to him by both the Applicant and NHS Highland.  He is satisfied that no matter of relevance has been overlooked.

Whether NHS Highland held any further information falling within scope

16. Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority which holds it is entitled to be given that information by the authority, subject to qualifications which, by virtue of section 1(6) of FOISA, allow Scottish public authorities to withhold information or charge a fee for it.  The qualifications contained in section 1(6) are not applicable in this case.

17. The information to be given is that held by the authority at the time the request is received, as defined by section 1(4).  If no such information is held by the authority, section 17(1) of FOISA requires it to give the applicant notice in writing to that effect.

18.The standard of proof to determine whether a Scottish public authority holds information is the civil standard of the balance of probabilities.  In determining where the balance of probabilities lies, the Commissioner considers the scope, quality, thoroughness and results of the searches carried out by the public authority.  He also considers, where appropriate, any reason offered by the public authority to explain why it does not hold the information.  While it may be relevant as part of this exercise to explore expectations about what information the authority should hold, ultimately the Commissioner's role is to determine what relevant recorded information is (or was, at the time the request was received) actually held by the public authority and falls within the scope of the original request.

19. The Commissioner has taken account of the arguments in both the Applicant’s requirement for review and his application (see above), in which he provides reasons as to why he considers NHS Highland should hold further information falling within the scope of his request.

NHS Highland’s submissions

20. In its submissions to the Commissioner, NHS Highland explained its handling of the Applicant’s initial request and request for review.  It stated that its initial response advised that the information was not held in the format requested as each of the MARAC partner agencies was a data controller in its own right.  Noting that the request had been sent to a number of public authorities which could be MARAC data controllers, the response was only considered for NHS Highland and details of partner agencies were not provided.

21. At review stage, NHS Highland submitted that it had reconsidered the Applicant’s request and its original response.  NHS Highland’s understanding of the request was that it asked for details of the data controller(s) recorded for the MARACs listed in the request.  It had explained that a MARAC was not a legal entity in its own right and information shared at a MARAC did not belong to the MARAC: it was the responsibility of each agency to ensure the information shared was compliant with data protection legislation.

22. NHS Highland acknowledged that, at review stage, it was not appropriate to uphold its original decision, given that additional information had now been disclosed (i.e. information clarifying which health boards were responsible for any areas outwith NHS Highland, as listed in the request), but it maintained that the information was still not held in the format requested.

23. NHS Highland submitted that the data controllers were not individuals, but rather they were the organisations involved, the main ones for the areas listed in the Applicant’s request being NHS Highland, Police Scotland and Highland Council.

24. NHS Highland explained it had made enquiries with its MARAC Co-ordinator and Data Protection Officer.  It confirmed it had now located an extract from an early draft of an information sharing agreement for Highland and Islands MARAC, which listed all the MARAC partner agencies and their relevant ICO registration numbers.  It explained that, while these were the partners involved in MARACs, they were not necessarily present at all MARAC meetings.  NHS Highland stressed that this was an early draft, not a finalised version, but it would be happy to share this information with the Applicant in full.

25. In response to being asked to explain whether there were any circumstances which would require it to record the data controller(s) of MARAC partner agencies, NHS Highland submitted there was no specific requirement for it to record who data controller(s) were, but it would be party to any future information sharing agreement (currently being drafted).

26. Other than the extract referred to above, NHS Highland confirmed that it held no further information falling within the scope of the Applicant’s request.
The Commissioner’s conclusions

27. Having considered all relevant submissions and the terms of the request, the Commissioner is satisfied that, by the end of the investigation, NHS Highland had taken adequate, proportionate steps in the circumstances to establish whether it held any further information that fell within the scope of the request.

28. The Commissioner has also considered the definition of “controller”  set out in Article 4(7) of the UK General Data Protection Regulation which states:
…“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

29. The Commissioner also notes that guidance issued by the UK Information Commissioner  states that a “controller” can be a company or other legal entity (such as an incorporated partnership, incorporated association or public authority), or an individual (such as a sole trader, partner in an unincorporated partnership, or self-employed professional, e.g. a barrister).

30. In this regard, the Commissioner accepts that, for the purposes of MARACs, the data controllers are the agencies involved.

31. However, in terms of the scope of the request, the Commissioner does not concur with NHS Highland’s initial interpretation that the request related solely to itself.  The wording of the request is clear, in that it seeks the data controllers recorded by NHS Highland for the MARACs listed in the request.  This would cover all agencies involved in those MARACs for which NHS Highland holds recorded information.  The Commissioner also notes that the request did not ask for the data controller(s) for each of the listed MARACs individually.

32. Neither does the Commissioner agree with NHS Highland’s view that it does not hold the information in the format requested.  Having considered the terms of the request and the information identified during the investigation (referred to above), the Commissioner is satisfied that it is reasonable to interpret the Applicant’s request as encompassing that information.

33. While the information now identified is held in an early draft of an ISA, it comprises recorded information held by NHS Highland at the date of the request and the Commissioner is satisfied that it falls within the scope of the Applicant’s request.  The Commissioner notes that NHS Highland is willing to disclose this information in full to the Applicant.

34. In conclusion, the Commissioner finds that, by interpreting the scope of the request too narrowly, NHS Highland failed to initially identify all of the information it held which fell within the scope of the request, and so failed to comply with section 1(1) of FOISA.

35. The Commissioner further finds that NHS Highland was not entitled to notify the Applicant, in line with section 17 of FOISA, that it did not hold any recorded information falling within the scope of his request.

36. The Commissioner therefore requires NHS Highland to issue a revised review outcome, otherwise than in terms of section 17(1) of FOISA, to the Applicant.

Decision 

The Commissioner finds that Highland Health Board (NHS Highland) failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.

He finds that NHS Highland breached section 1(1) of FOISA by notifying the Applicant, in terms of section 17(1) of FOISA, that it did not hold any information falling within the scope of his request, and by failing to identify all relevant information falling within scope.

The Commissioner requires NHS Highland to carry out a fresh review and provide the Applicant with a revised review outcome, otherwise than in terms of section 17(1) of FOISA, by 21 March 2022.

Appeal

Should either the Applicant or NHS Highland wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If NHS Highland fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that NHS Highland has failed to comply.  The Court has the right to inquire into the matter and may deal with NHS Highland as if it had committed a contempt of court.

Margaret Keyse
Head of Enforcement
2 February 2022


Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

17 Notice that information is not held

(1) Where-

(a) a Scottish public authority receives a request which would require it either-

(i) to comply with section 1(1); or

(ii) to determine any question arising by virtue of paragraph (a) or (b) of section 2(1),
if it held the information to which the request relates; but

(b) the authority does not hold that information,
it must, within the time allowed by or by virtue of section 10 for complying with the request, give the applicant notice in writing that it does not hold it.