Decision 053/2023: Incidents and complaints in a specified care home
Authority: Bon Accord Care Ltd
Case Ref: 202100933
Summary
The Applicant asked the Authority for reports relating to incidents on a particular date and details of complaints made and the outcomes for a stated time period. The Authority provided some information, provided further information outwith FOISA and withheld some information as it was personal data. The Commissioner investigated and found that the Authority was correct to withhold some of the remaining information, but wrongly withheld the information provided outwith FOISA.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(a) and 2(e)(ii) (Effects of exemptions); 26(a) (Prohibitions on disclosure); 38(1)(b), (2A)(a), (5) (Definitions of “data protection principles”, “data subject”, “personal data”, “processing” and “UK GDPR”) and 5(A) (Personal information), 47(1) and (2) (Application for decision by Commissioner)
United Kingdom General Data Protection Regulation (the UK GDPR) articles 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing); 9(1) and (2)(a) and (e) (Processing of special categories of personal data)
Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5) and (10) (Terms relating to the processing of personal data)
Human Rights Act 1998 (HRA) section 6(1) (Acts of public authorities)
European Convention on Human Rights (ECHR) Article 8
The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.
Background
1. On 22 April 2021, the Applicant made a request for information to the Authority. She asked for:
(i) A copy of all internal reports relating to incidents at a specified care home on a specific date.
(ii) The number of complainants making complaints against the care home since March 2020 and the number of complaints each complainant made.
(iii) The number of complaints that were upheld, or partially upheld, or otherwise accepted by the Authority; a summary of the complaint and any remedial action taken or best practice adopted.
2. The Authority responded on 9 July 2021. It acknowledged its late response and apologised for this. In relation to part (i) of the request, some information was provided; the number and nature of the incidents that occurred on the specified date, with the remainder of the information being withheld under section 38(1)(b) of FOISA. Information was provided in relation to parts (ii) and (iii) of the request.
3. On 9 July 2021, the Applicant wrote to the Authority requesting a review of its decision. The Applicant stated that she was dissatisfied with the decision because she disagreed with the use of the exemption at section 38(1)(b) to withhold information relating to part (i) of her request, as the Applicant considered the redaction of names was sufficient to protect the identities of individuals.
4. The Authority notified the Applicant of the outcome of its review on 30 July 2021, in which it upheld its original decision. It considered disclosure would breach the confidentiality of the individuals concerned and that redacting their names was not sufficient to protect their identities.
5. On 31 July 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated she was dissatisfied with the outcome of the Authority’s review because she did not agree with the Authority’s reasons for withholding the information in relation to part (i) of her request.
Investigation
6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
7. On 27 August 2021, the Authority was notified in writing that the Applicant had made a valid application. The Authority was asked to send the Commissioner the information withheld from the Applicant. The Authority provided the information and the case was allocated to an investigating officer.
8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Authority was invited to comment on this application and to answer specific questions. These related to its decision to withhold the requested information under section 38(1)(b) of FOISA.
Withheld information
9. The withheld information in this case comprises of seven documents. The Applicant has had access to documents five, six and seven via another route, outside of FOISA.
10. Some of the documents relate to individuals who, unfortunately, are no longer alive.
Commissioner’s analysis and findings
11. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.
Section 38(1)(b) – Personal information
12. In part (i) of her request, the Applicant asked for copies of internal reports relating to incidents that occurred on a specific date at a specific home. The Authority provided the Applicant with the number and type of incidents that were reported on that date, but withheld the remaining information under section 38(1)(b) of FOISA, on the basis that the information contained was personal and disclosure would be a breach of the confidentiality of the individuals concerned.
13. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A), exempts information from disclosure if it is “personal data”, as defined in section 3(2) of the DPA 2018 and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR.
14. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means it is not subject to the public interest test contained in section 2(1)(b) of FOISA.
15. To rely on the exemption in section 38(1)(b), the Authority must show that the information is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles in Article 5(1) of the UK GDPR.
16. Article 9 of the UK GDPR describes personal data that falls within the special categories of personal data, including where it reveals information about an individual’s health.
Is the information personal data?
17. The first question the Commissioner must address is whether the information is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable individual. “Identified living individual” is defined in section 3(3) of the DPA 2018 – see Appendix 1. (This definition reflects the definition of personal data in Article 4(1) of the UK GDPR.)
18. Documents five, six and seven of the withheld information cannot fall within this definition, as they do not relate to a living individual.
19. The Commissioner must also consider whether any of the withheld information is special category data as defined in Article 9 of the UK GDPR (see Appendix 1). This includes data which concerns the health of an individual.
20. Documents five, six and seven of the withheld information cannot fall within this exemption, as they do not relate to a living individual.
21. The Authority submitted that redaction of the names of the individuals concerned was not sufficient to prevent them being identified. It argued that other identifying information was on the form, that could lead to identification. It highlighted that the care home was a small community, with only 52 residents at the time of the request.
22. In its submission, the Authority pointed out that FOISA gives the right to information, not documents, and that it had provided information to the Applicant on the nature of the incidents (in documents one to four) that had occurred, and that, if all of the information it considered to be personal data was redacted from the forms, this was all that would meaningfully remain.
23. The Applicant submitted that names could be redacted, thus allowing the remaining information to be disclosed. In her view, she would need to know other information about these residents in order to be able to identify them.
24. She argued that, even were the withheld information to include medical information, without wider knowledge of the care home’s population, she did not think individuals could be identified and so the information would not constitute personal data.
25. The information being withheld is on a form that is completed following an accident or incident to a service user within the home. This is a mixture of tick boxes and boxes to be written in by staff.
26. The Applicant’s argument focused on the information being disclosed to her and her knowledge of the service users: however, disclosure under FOISA is considered to be disclosure into the public domain. The Commissioner must therefore consider whether there is a possibility of identification in this environment.
27. The Authority submitted incidents to service users are processed under Article 9(h) of the UK GDPR as they relate to the provision of health and social care, and that all of the reports, in their entirety, are data concerning the health of the individual (as they are a record of an incident which resulted in an intervention to support that individual’s health and wellbeing, together with details of that intervention).
28. Having considered the submissions from both the Applicant and the Authority, the Commissioner considers much of the withheld information is a mixture of special category data and personal data. A very limited amount of information that would be conveyed by the ticked boxes could be considered to fall outwith either of these categories, and so not be subject to section 38(1)(b). The Commissioner considers that this information has already been provided to the Applicant by the Authority in its response when it provided information on the number and types of incidents that had occurred.
Special Category Data - Lawfulness
29. The Commissioner has accepted that some of the information would be special category data for the purposes of Article 9(1) of the UK GDPR. Special category personal data is afforded more protection by the UK GDPR. To be lawful, their processing must meet one of the conditions in Article 9(2) of the UK GDPR.
30. The Commissioner’s guidance on section 38 of FOISA notes that Article 9 of the UK GDPR only allows special category personal data to be processed in very limited circumstances. The Commissioner considers that the only situations where it is likely to be lawful to disclose special category personal data in response to an information request under FOISA is where the conditions in Article 9(2)(e) applies.
Article 9(2)(e): Manifestly made public
31. Article 9(2)(e) allows special category personal data to be processed where the personal data have manifestly been made public by the data subjects.
32. “Processing" of personal data is defined in section 3(4) of the DPA 2018. It includes (section 3(4)(d)) disclosure by transmission, dissemination or otherwise making available personal data. The definition therefore covers disclosing information into the public domain in response to a FOISA request.
33. Neither the Authority nor the Applicant has suggested that the personal data have manifestly been made public by the data subjects.
34. The Commissioner is satisfied that the information would not have been made public as a result of steps deliberately taken by the data subjects, and so condition 2(e) could not be met in this case. It is not information of a kind it would be reasonable to expect would be made public in such a manner.
35. In the circumstances, the Commissioner must conclude that, in the absence of a condition in the UK GDPR allowing the special category personal data to be processed, that disclosure would be unlawful.
Special Category Data - Fairness
36. Given that the Commissioner has concluded that the processing of the special category personal data would be unlawful, he is not required to go on to consider whether any such disclosure would otherwise be fair or transparent in relation to the data subjects.
Personal data (that is not Special category personal data) - Will disclosure contravene one of the data protection principles?
37. The Authority considered that disclosure would breach the data protection principle in Article 5(1) of the UK GDPR, in that disclosure would not be lawful, fair and transparent. It submitted that it owed a common law duty of confidentiality to its service users.
38. As noted above, “processing" of personal data is defined in section 3(4) of the DPA 2018. It includes (section 3(4)(d)) disclosure by transmission, dissemination or otherwise making available personal data. The definition therefore covers disclosing information into the public domain in response to a FOISA request.
39. The Authority maintained that its service users would not reasonably expect this type of information about their health and wellbeing to be disclosed to the public, and that its privacy notice created no expectation that this type of information would be disclosed publicly.
40. It argued that it would not be fair or transparent to leave open the possibility of the information being put to different uses once in the public domain, that the service users could not possibly have anticipated.
41. The Commissioner must consider whether disclosure of the personal data would be lawful. In considering lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow the data to be disclosed.
42. The Commissioner considers that condition (f) in Article 6(1) is the only condition which could potentially apply in the circumstances of this case.
Condition (f): legitimate interests
43. Condition (f) states that processing shall be lawful if it “…is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data…”
44. Although Article 6 states that this condition cannot apply to processing carried out by public authorities in the performance of their tasks, section 38(5A) of FOISA makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests made under FOISA.
45. The tests which must be met before Article 6(1)(f) can be met are as follows:
(i) Does the Applicant have a legitimate interest in obtaining the personal data?
(ii) If so, would disclosure of the personal data be necessary to achieve that legitimate interest?
(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects?
Does the Applicant have a legitimate interest in obtaining the personal data?
46. The Applicant submitted that the information was of value to her and her family and that she hoped it would help her to understand better the circumstances relating to a particular individual.
47. The Authority did not consider that the Applicant had a legitimate interest in documents one to four. It maintained that it was not clear what legitimate interest could be served from obtaining additional information involving other service users.
48. Having considered all of the submissions he received, the Commissioner accepts that, as the relative of a service user, the Applicant has an interest in how incidents are reported and investigated, and to the details concerning her relative.
49. However, the Commissioner does not accept that a legitimate interest has been demonstrated in relation to the third-party reports, given her stated interest was in the care provided to a particular service user (not identified in these documents).
50. In all of the circumstances of the case, in the absence of a relevant legitimate interest, the Commissioner concludes that condition (f) in Article 6(1) of the UK GDPR cannot be met in relation to the withheld personal data. The Commissioner can identify no other Article 6(1) condition which would be relevant, in the circumstances. Disclosure would therefore be unlawful.
Fairness and transparency
51. Given the Commissioner’s finding that processing would be unlawful, he is not required to go on to consider separately whether disclosure of the personal data would otherwise be fair or transparent in relation to the data subjects.
52. The Commissioner is satisfied that the Authority properly withheld the information in documents one to four under section 38(1)(b) of FOISA.
Section 26(a) – Prohibitions on disclosure
53. Section 26(a) of FOISA provides that information is exempt information if disclosure by a Scottish public authority (otherwise than under FOISA) is prohibited by or under an enactment. This is an absolute exemption, in that it is not subject to the public interest test set down in section 2(1) of FOISA.
54. The Authority argued that disclosure of documents five, six and seven under FOISA was prohibited by another piece of legislation, in this case the Human Rights Act 1998 (HRA).
55. The Authority submitted that disclosure of the information into the public domain (which is the effect of a disclosure under FOISA) was contrary to Article 8 of the European Convention on Human Rights (the Convention), and that section 6(1) of the HRA states that it is unlawful for a public authority to act in way that is incompatible with the Convention.
56. The Authority referred to Decision 165/2007 and considered that disclosure of the information in response to a request under FOISA, and thus into the public domain, would intrude into the privacy of surviving relatives.
57. Article 8 of the Convention confers a right to respect for private and family life, home and correspondence, and it imposes both positive and negative duties on a public authority. This means that there will be some cases where disclosure of information would breach the rights contained in Article 8, but there may also be cases where refusal to disclose information constitutes a breach of Article 8. Article 8 is a qualified right. This means there is a need to balance the competing rights of different groups of individuals.
58. The Authority’s position considered the rights of one group, that needed to be balanced and considered against the rights of the Applicant (and, potentially, others). This balance was not apparent in the submissions provided to the Commissioner.
59. An authority must also consider all of the other requirements of Article 8(2), including whether or not disclosure would be proportionate in relation to the harm that may be caused. Article 8(2) provides:
There shall be no interference by a public authority with the exercise of this right [the right to respect for private and family life, home and correspondence] except such as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for protection of health or morals, or for the protection of the rights and freedoms of others.
60. The Commissioner does not find that the submissions from the Authority were sufficient to allow him to determine that the balance of rights favoured the Authority’s position.
61. The Commissioner is not, therefore, able to uphold the Authority’s use of section 26(a) of FOISA to withhold the information.
Decision
The Commissioner finds that the Authority partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.
The Commissioner finds that, by relying on the exemption in section 38(1)(b) of FOISA for withholding certain information, the Authority complied with Part 1.
However, by wrongly relying on section 26(a) of FOISA to withhold the information in documents five, six and seven, the Authority failed to comply with Part 1 (and, in particular, section 1(1) of FOISA).
Given that the information in documents five, six and seven has already been provided to the Applicant outside of FOISA, the Commissioner does not require the Authority to take any action in respect of this failure.
Appeal
Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Margaret Keyse
Head of Enforcement
31 May 2023
Appendix 1: Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”
…
(6) This section is subject to sections 2, 9, 12 and 14.
2 Effect of exemptions
(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that –
(a) the provision does not confer absolute exemption; and
…
(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption –
…
(e) in subsection (1) of section 38 –
…
(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.
26 Prohibitions on disclosure
Information is exempt information if its disclosure by a Scottish public authority (otherwise than under this Act) -
(a) is prohibited by or under an enactment;
…
38 Personal information
(1) Information is exempt information if it constitutes-
…
(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);
…
(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -
(a) would contravene any of the data protection principles, or
…
(5) In this section-
"the data protection principles" means the principles set out in –
(a) Article 5(1) of the UK GDPR, and
(b) section 34(1) of the Data Protection Act 2018;
"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
…
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);
“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).
(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.
…
47 Application for decision by Commissioner
(1) A person who is dissatisfied with -
(a) a notice under section 21(5) or (9); or
(b) the failure of a Scottish public authority to which a requirement for review was made to give such a notice.
may make application to the Commissioner for a decision whether, in any respect specified in that application, the request for information to which the requirement relates has been dealt with in accordance with Part 1 of this Act.
(2) An application under subsection (1) must -
(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used for subsequent reference (as, for example, a recording made on audio or video tape);
(b) state the name of the applicant and an address for correspondence; and
(c) specify –
(i) the request for information to which the requirement for review relates;
(ii) the matter which was specified under sub-paragraph (ii) of section 20(3)(c); and
(iii_ the matter which gives rise to the dissatisfaction mentioned in subsection (1).
…
UK General Data Protection Regulation
Article 5 Principles relating to processing of personal data
1 Personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)
…
Article 6 Lawfulness of processing
1 Processing shall be lawful only if and to the extent that at least one of the following applies:
…
f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
Article 9 Processing of special categories of personal data
1 Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2 Paragraph 1 shall not apply if one of the following applies:
…
e. processing relates to personal data which are manifestly made public by the data subject;
…
Data Protection Act 2018
3 Terms relating to the processing of personal data
…
(2) “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).
(3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to –
(a) an identifier such as a name, an identification number, location data or an online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
(4) “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as –
…
(d) disclosure by transmission, dissemination or otherwise making available,
…
(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).
…
Human Rights Act 1998
6 Acts of public authorities
(1) It is unlawful for a public authority to act in a way which is incompatible with a Convention right.
…
European Convention on Human Rights and Fundamental Freedoms
Article 8
(1) Everyone has the right to respect for his private and family life, his home and his correspondence.
(2) There shall be no interference by a public authority with this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
