Decision 067/2023: Infant mortality September 2021 – numbers of vaccinated and unvaccinated mothers

Authority:  Public Health Scotland
Case Ref:  202101555

Summary

The Applicant asked the Authority for the number of vaccinated and unvaccinated mothers of infants who had died in September 2021 within 28 days of birth.  The Authority refused to disclose the information on the basis that it was personal data and disclosure would breach data protection principles.  During the investigation, the Authority also claimed that disclosure of the information would constitute an actionable breach of confidence.  The Commissioner investigated and found that the information was not personal data and that its disclosure would not constitute an actionable breach of confidence.  He required the Authority to disclose the information requested.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(a) and (2)(c) and (e)(ii) (Effect of exemptions); 36(2) (Confidentiality); 38(1)(b), (2A), (5) (definitions of “the data protection principles”, “data subject”, “personal data” and “processing”, “the UK GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner)

United Kingdom General Data Protection Regulation (the UK GDPR) articles 4(1) (definition of ”personal data”) (Definitions); 5(1)(a) (Principles relating to processing of personal data)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10), (14)(a), (c) and (d) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision.  The Appendix forms part of this decision.

Background

1. On 19 November 2021, the Applicant made a request for information to the Authority.  Referring to a media article concerning a spike in infant mortality in Scotland in September 2021, he asked for:

   [“1. Number of vaccinated vs unvaccinated mothers of the tragically-deceased infants referred to in the article.

   2. Percentage of vaccinated vs unvaccinated mothers in Scotland in the same month of September 2021.”]

2. The Authority responded on 17 December 2021.  It refused to provide the actual numbers requested in part 1 on the basis that it comprised personal health information of third parties, disclosure of which would breach data protection principles (section 38(1)(b) of FOISA).  For part 2 of the request, the Authority explained that the information was already available in its COVID 19 Statistical Report published on 8 December 2021 (in the “Vaccination in pregnancy” data file), and applied section 25 (Information otherwise accessible) of FOISA to that information.

3. The Authority stated that the higher number of neonatal deaths in September 2021 had prompted an additional review of available data at national level, in particular with respect to the role of prematurity and to understand any relationship with COVID 19 infections.  Results and commentary from this analysis were published on the Coronavirus (COVID-19) Wider Impact Dashboard on 1 December 2021.  The Authority also explained that the most recent data and commentary on COVID 19 infection and vaccination in pregnancy was included in the COVID 19 Statistical Report of 8 December 2021.

4. On 17 December 2021, the Applicant wrote to the Authority requesting a review of its decision for part 1 of his request.  The Applicant stated that he was dissatisfied with the decision because he did not believe that the information was “personal health information of third parties”.  The Applicant argued that providing raw numbers was in no way a danger to personal health information or to the privacy of the individuals concerned.

5. The Authority notified the Applicant of the outcome of its review on 21 December 2021, fully upholding its original decision.  It explained that it had a legal duty to keep personal health information secure and confidential.  In considering the risk of identification of the individuals involved, it had taken into account factors such as the sensitivity of the topic (i.e. the COVID 19 vaccination status of pregnant women); the low denominator population (i.e. the corresponding number of neonatal deaths); the nature of a disclosure under FOISA (which places data into the public domain with no measures in place to protect it); and the requirement to link the personal health information records of the deceased infants to those of pregnant women, thus deriving additional personal and sensitive information about another group of persons.

6. The Authority stated that it had also considered whether the data which it already publishes (about COVID 19 infection and vaccination in pregnancy) could be combined with that from other sources to identify individuals and disclose further personal details about those involved.  For these reasons, the Authority upheld its use of the exemption in section 38(1)(b) of FOISA for the information requested.

7. On 21 December 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  The Applicant stated that he was dissatisfied with the outcome of the Authority’s review because he did not believe that the integrity of any personal data would be compromised by the disclosure of the raw numbers in this instance.

Investigation

8. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.

9. On 20 January 2022, the Authority was notified in writing that the Applicant had made a valid application and was asked to send the Commissioner the information withheld from the Applicant.  The Authority provided the information and the case was subsequently allocated to an investigating officer.

10. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  The Authority was invited to comment on this application and to answer specific questions.  These focussed on the Authority’s justification for withholding the information requested in part 1 under the exemption in section 38(1)(b) of FOISA.

11. During the investigation, the Authority informed the Commissioner that it now also wished to rely on the exemption in section 36(2) of FOISA to withhold the information requested in part 1 of the request, and it provided submissions to support its reliance on this exemption.

12. In the interests of natural justice, the Applicant was updated on the Authority’s revised position, and was asked to provide any additional comments he wished to make.

13. Both parties provided submissions to the Commissioner.

Commissioner’s analysis and findings

14. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.

Section 38(1)(b) – Personal information

15. At both initial response and review stages, the Authority withheld the information requested in part 1 of the request under section 38(1)(b) of FOISA.  Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR or (where relevant) in the DPA 2018.

16. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption.  This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

17. To rely on this exemption, the Authority must show that the information withheld is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Article 5(1) of the UK GDPR.

18. The Commissioner must therefore decide whether the Authority was correct to withhold the information requested under section 38(1)(b) of FOISA.

Is the withheld information personal data?

19. The first question that the Commissioner must address is whether the withheld information is personal data for the purposes of section 3(2) of the DPA 2018.  Only where he accepts that it is personal data will he go on to consider whether, as claimed by the Authority in this case, it falls within any of the special categories of personal data defined in Article 9 of the UK GDPR: if the information is not personal data, it cannot be special category data.

20. “Personal data” is defined in section 3(2) of the DPA 2018 as “any information relating to an identified or identifiable living individual”.  Section 3(3) of the DPA 2018 identifies "identifiable living individual" as a living individual who can be identified, directly or indirectly, in particular by reference to –

(i) an identifier, such as a name, an identification number, location data, or an online identifier, or

(ii) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(This definition reflects the definition of personal data in Article 4(1) of the UK GDPR – see Appendix 1.)

21. In the case of Breyer v Bundesrepublik Deutschland (C-582/14), the Court of Justice of the European Union looked at the question of identification.  The Court took the view that the correct test to consider is whether there is a realistic prospect of someone being identified.  In deciding whether there is a realistic prospect of identification, account can be taken of information in the hands of a third party.  However, there must be a realistic causal chain - if the risk of identification is "insignificant", the information will not be personal data.

22. Although this decision was made before the UK GDPR and the DPA 2018 came into force, the Commissioner expects that the same rules will apply.  As set out in Recital (26) of the GDPR (the source of the UK GDPR), the determination of whether a natural person is identifiable should take account of all means reasonably likely to be used to identify the person, directly or indirectly.  In considering what is reasonably likely, the Recital states that all objective factors should be taken into account, such as the costs and amount of time required for identification, the available technology at the time of processing and technological developments.  It confirms that data should be considered anonymous (and therefore no longer subject to the GDPR) when the data subject(s) is/are no longer identifiable.

The Authority’s submissions

23. In its submissions to the Commissioner, the Authority maintained that the data was personal data, disclosure of which would breach data protection principles.  It also considered that the information requested amounted to special category personal data as defined in Article 9 of the UK GDPR, as it related to the health of the bereaved mothers.  Within the range of special category personal data, the Authority believed the information requested to be at the extreme end of sensitivity.

24. The Authority acknowledged that, by itself, the data would not identify living individuals.  However, when combined with other information available either to the public or to specific individuals (examples of which were provided by the Authority), the Authority believed there was a significant risk that the medical details of living individuals - specifically the COVID 19 vaccination status of the bereaved mothers - could be deduced.

25. In support of its arguments, the Authority submitted that neonatal death was uncommon and the timeframe specified in the request (a single month) was narrow, hence the number of individuals involved was small.  It further highlighted that the specific medical details requested about this group of individuals (i.e. their COVID 19 vaccination status) was viewed as highly contentious by some individuals.

26. The Authority stated that it did not routinely consider the rationale as to why an individual might request information.  However, in this case, it assumed that the purpose of the request was to establish whether there was any relationship between maternal COVID 19 vaccination and pregnancy outcomes, including neonatal death.  As it could not take any assurances from an applicant that the information would not be used, processed or shared outwith any stated intent, the Authority explained that it treated any information disclosed in response to an FOI request as being placed into the public domain and therefore available to any individual for any purpose.

27. In the Authority’s view, there was a realistic prospect that, given the small numbers involved and the specific group of people to whom the information related, when combining data which was already publicly available with the information requested here, it could be used to identify the vaccination status of particular individuals.

28. The Authority provided detailed explanation of the steps it believed a motivated individual could take to identify the individuals to whom the data related, and set out why it considered disclosure of the information would facilitate this or make it easier.

29. The Authority recognised that taking such steps would be relatively difficult.  However, it believed that there was a realistic risk that a sufficiently motivated individual may attempt this, given the extreme objection to COVID 19 vaccination demonstrated throughout the pandemic by a minority of individuals.  In support of its position on this, it provided evidence of complaints received following publication of the media article referred to in the Applicant’s request.  It also submitted that the Facebook page of one hospital maternity unit had been suspended as a result of being targeted by similar messages in response to a professional post encouraging pregnant women to be vaccinated.

30. The Authority submitted that, as a public health body that fully complies with data protection law, while being as open and transparent as possible in order to carry out its statutory functions in public health, it was obliged to apply some controls when considering disclosure of information on the particular topic of COVID 19 vaccination in pregnancy involving small numbers of vulnerable individuals, in order to protect them and prevent them from coming to harm from a minority of highly vocal anti-vaccination groups of members of the public.  While the Authority recognised that no method of data control (for example, releasing aggregate figures) could absolutely protect living individuals from highly motivated individuals, it argued that this must not be an excuse to abandon any controls that could be put in place to minimise this risk (for example, guidance from the General Medical Council on the disclosure of anonymised data).

31. In conclusion, for the reasons set out above, the Authority believed the information amounted to personal data, disclosure of which would breach data protection principles.

The Applicant’s submissions

32. In his application to the Commissioner, the Applicant submitted that the integrity of any personal data would not be compromised by disclosure of the information.

The Commissioner’s views

33. The Commissioner has considered the submissions from the Authority explaining why it believed the information requested was personal data.

34. In doing so, he has taken account of the information itself which is, effectively, the total numbers of vaccinated and (separately) unvaccinated mothers of [those] infants who died in September 2021.  He also recognises the sensitivity and sadness of the circumstances which underpin the existence of the data requested.

35. The Commissioner notes that the Applicant has not asked for the vaccination status of each individual to whom the data relates, rather he is seeking two statistical totals.

36. The Commissioner has taken into account that the number of neonatal deaths in September 2021 was proactively and publicly disclosed by the Authority as part of an official release.  In light of this, he recognises that a reasonable person could take an educated guess, based on probability, as to the approximate number of bereaved mothers involved.  While any individual could take a guess, either way, as to the vaccination status of these individuals (or may already know via other means), the Commissioner is not satisfied that disclosure of the figures requested here would add to, or confirm, any suspicion an individual may have on this point, i.e. the vaccination status of a specific mother.

37. The Commissioner has fully considered the Authority’s submissions on the course of action it believed a determined person could take to identify the data subjects.  The Commissioner has deliberately not gone into this in any further detail, but notes that the key elements, as set out in the Authority’s submissions, of any such identification of the bereaved mothers were linked to other sources which were independent of the information requested in this case.

38. The Commissioner has considered this point further.  He notes that the Authority has acknowledged that disclosure of the data, by itself, would not identify individuals and that it could already be possible for a motivated individual to take steps to identify the bereaved mothers.  That being the case, the Commissioner does not accept the arguments put forward by the Authority that disclosure of the information requested here could be used to identify the individuals concerned.

39. The Commissioner agrees with the Authority that being able to contact even some of the bereaved mothers (using the methods described in its submissions) would be relatively difficult.  In the Commissioner’s opinion, disclosure of the statistical data requested here would not make the processes described by the Authority, in its submissions, any easier or any more likely.

40. The Commissioner considers that the arguments put forward by the Authority here are, at best, hypothetical.  In his view, even if a motivated individual were able to identify any/all of the bereaved mothers from existing routes, confirmation of their vaccination status would require further steps which the Commissioner considers to be exceptionally unlikely and indeed unrealistic.  Again, he is not convinced that disclosure of the statistical data requested here would make it any easier or any more likely that a bereaved mother would be identified, or that her vaccination status would be confirmed.

41. Consequently, in all the circumstances of the case, the Commissioner is not satisfied that a realistic causal chain exists where living individuals could be identified as a direct result of disclosure of the information.  The Commissioner therefore does not accept that the information requested in part 1 of the request qualifies as personal data, as defined in section 3(2) of the DPA.  Having reached this conclusion, he is not required to go on to consider whether any of the further tests for section 38(1)(b) of FOISA apply.

42. The Commissioner therefore finds that the Authority was not entitled to withhold this information under section 38(1)(b) of FOISA.  As the Authority is also withholding the same information under the exemption in section 36(2) of FOISA, the Commissioner will now go on to consider the application of that exemption to the information requested in part 1.

Section 36(2) of FOISA - Confidentiality

43. In this case, during the investigation, the Authority revised its position to also rely on section 36(2) to withhold the information requested in part 1 of the request.

44. Section 36(2) of FOISA provides that information is exempt if it was obtained by a Scottish public authority from another person (including another such authority) and its disclosure, by the authority so obtaining it, to the public (otherwise than under FOISA) would constitute a breach of confidence actionable by that person or any other person.  Section 36(2) is an absolute exemption and is not, therefore, subject to the public interest test in section 2(1)(b) of FOISA.  However, it is generally accepted in common law that an obligation of confidence will not be enforced to restrain the disclosure of information which is necessary in the public interest.

Information obtained from another person

45. Section 36(2) therefore contains a two-stage test, both parts of which must be fulfilled before the exemption can be relied upon.  The first is that the information must have been obtained by a Scottish public authority from another person.  "Person" is defined widely and means another individual, another Scottish public authority or any other legal entity, such as a company or partnership.

46. The Authority explained that the information requested was obtained from other public authorities (health boards) who treated the bereaved mothers.

47. In the circumstances, therefore, the Commissioner is satisfied that the withheld statistical data requested derives from information which was obtained by the Authority from another person and that the first part of the section 36(2) test has been fulfilled.

Actionable breach of confidence

48. The second part of the test is that the disclosure of the information by the public authority must constitute a breach of confidence actionable either by the person who gave the information to the public authority or by any other person.  The Commissioner takes the view that “actionable” here means that the basic requirements for a successful action must appear to be fulfilled.

49. There are three main requirements which must be met before a claim for breach of confidence can be established to satisfy the second element to this test.  These are:

(i) the information must have the necessary quality of confidence;

(ii) the public authority must have received the information in circumstances which imposed an obligation on it to maintain confidentiality; and

(iii) unauthorised disclosure must be to the detriment of the person who communicated the information.

50. In his submissions to the Commissioner, the Applicant found it “astonishing” that the Authority considered disclosure would constitute a breach of confidence, given he had not asked for any names, ages or any other identifiers.  He argued that he had simply requested raw numbers which were a subset of statistics which already existed (and had been widely reported on) in the public domain (i.e. the number of [those] infant deaths) without any breach of confidentiality.

51. In the Applicant’s view, to disclose (from the published statistics on the number of neonatal deaths) the raw numbers of vaccinated and unvaccinated mothers, could not breach confidentiality, as they did not provide any clues to the identification of (and therefore any knowledge about) the individuals concerned.  He believed the Authority had no grounds for applying the exemption in section 36(2) of FOISA as it failed on all three counts required to constitute an actionable breach of confidence.

Necessary quality of confidence

52. The Authority submitted that patient confidentiality applied to the vaccination status of the bereaved mothers, and the fact that they had lost their babies.  It argued that it was implicit for it to keep this information confidential, but use it to fulfil its statutory public health duties.

53. Having considered the information requested and the arguments put forward by the Authority, the Commissioner is satisfied that it fulfils the criteria of having the necessary quality of confidence.  While the Authority’s arguments here appear to focus on the vaccination status of each individual bereaved mother, he accepts that both the information for each individual and the statistical totals requested, is relatively current, is not common knowledge or publicly available and could not readily be obtained by the Applicant by any other means.  The Commissioner is therefore satisfied that this element of the second part of the section 36(2) test has been fulfilled.

Obligation to maintain confidentiality

54. The Authority submitted that it owed a duty of confidence to ensure the identities of the bereaved mothers were not exposed.  This duty of confidentiality, it explained, passed to the Authority upon receipt of the information from the treating health board.

55. The Authority argued that, were it to facilitate (through applying no disclosure controls) the exposure of the identities of the bereaved mothers and, by extension, information on their vaccination status and the loss of their babies, this would be a total breakdown of trust and would provide opportunity for a possible actionable breach of confidence.

56. The Commissioner has considered the circumstances, along with the source and content of the withheld information.  Again, the Commissioner notes that the Authority’s submissions here appear to concentrate on the vaccination status of each individual bereaved mother, as opposed to the statistical totals requested.  As rehearsed above, the Commissioner has already found that the statistical data requested here is not personal data for the purposes of FOISA as it was not realistically possible to identify the bereaved mothers directly as a result of its disclosure.  He has also taken regard of the Applicant’s reasoned arguments setting out that there was no issue with the Authority proactively and publicly disclosing the number of neonatal deaths.

57. While the Commissioner accepts that there is an obligation on the Authority to maintain the confidentiality of the vaccination status relating to each individual bereaved mother, this is not the information that the Applicant requested.  Rather, he asked for the statistical totals relating to the numbers of vaccinated or unvaccinated mothers for the month in question, and the Commissioner does not believe that there is any obligation to maintain confidentiality of that particular statistical data.  Given that the Commissioner considers there is no likelihood of identification of the individual bereaved mothers as a direct result of disclosure of the statistical totals, he does not accept the Authority’s arguments that disclosure of the information requested would provide opportunity for an actionable breach of confidence.

58. The Commissioner is therefore not satisfied that there is an obligation of confidence for the actual information requested, and so does not consider that this element of the second part of the test for section 36(2) to apply has been fulfilled.

59. As the Commissioner has found that this element of the second part of the section 36(2) test has not been fulfilled, he is not required to go on to consider the third element.

The Commissioner’s conclusions

60. Having considered carefully the withheld information alongside the submissions by the Authority and the Applicant, the Commissioner is not satisfied that the tests for an actionable breach of confidence are met in this case, in relation to any of the information being withheld under section 36(2) of FOISA.

61. As the Commissioner has found that the tests for the exemption in section 36(2) of FOISA have not been fully met, he finds that the exemption in section 36(2) of FOISA is not properly engaged.  In light of this, the Commissioner is not required to go on to consider whether disclosure of the information is necessary in the public interest.

62. As the Authority is not relying on any other exemption to withhold the information requested in part 1 of the request, the Commissioner requires the Authority to disclose it to the Applicant.

Decision 

The Commissioner finds that the Authority failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to part 1 of the information request made by the Applicant.  The Commissioner finds that the information requested in part 1 of the Applicant’s request was incorrectly withheld under the exemptions in section 36(2) and section 38(1)(b) of FOISA, with the result that the Authority failed to comply with section 1(1) of FOISA.

The Commissioner therefore requires the Authority to disclose to the Applicant the information requested in part 1 of the request by 18 August 2023.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Authority has failed to comply.  The Court has the right to inquire into the matter and may deal with the Authority as if it had committed a contempt of court.

Daren Fitzhenry
Scottish Information Commissioner

4 July 2023
 

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”

…

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions 

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that – 

(a) the provision does not confer absolute exemption; and

…

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption – 

…

(c) section 36(2);

…

(e) in subsection (1) of section 38 – 

…

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

 

36 Confidentiality

…

(2) Information is exempt information if-

(a) it was obtained by a Scottish public authority from another person (including another such authority); and

(b) its disclosure by the authority so obtaining it to the public (otherwise than under this Act) would constitute a breach of confidence actionable by that person or any other person.

38 Personal information 

(1) Information is exempt information if it constitutes-

…

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

…

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

…

(5) In this section-

"the data protection principles" means the principles set out in – 

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018; 

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

…

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

…

47 Application for decision by Commissioner

(1) A person who is dissatisfied with -

(a) a notice under section 21(5) or (9); or

(b) the failure of a Scottish public authority to which a requirement for review was made to give such a notice.

may make application to the Commissioner for a decision whether, in any respect specified in that application, the request for information to which the requirement relates has been dealt with in accordance with Part 1 of this Act.

(2) An application under subsection (1) must - 

(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used for subsequent reference (as, for example, a recording made on audio or video tape);

(b) state the name of the applicant and an address for correspondence; and

(c) specify – 

    (i) the request for information to which the requirement for review relates;

    (ii) the matter which was specified under sub-paragraph (ii) of section 20(3)(c); and

    (iii) the matter which gives rise to the dissatisfaction mentioned in subsection (1).

    ...

UK General Data Protection Regulation

Article 4 Definitions

For the purpose of this Regulation: 

1 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 

Article 5 Principles relating to processing of personal data 

1 Personal data shall be:

    a. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)

    …

Data Protection Act 2018

3 Terms relating to the processing of personal data 

    …

    (2) “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

    (3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to – 

        (a) an identifier such as a name, an identification number, location data or an online identifier, or

        (b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

    (4) “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as – 

        …

        (d) disclosure by transmission, dissemination or otherwise making available,

        …

(5) “Data subject” means the identified or identifiable living individual to whom personal data relates.

…

(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

…

(14) In Parts 5 to 7, except where otherwise provided – 

    (a) references to the UK GDPR are to the UK GDPR read with Part 2;

    …

(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;

(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.