Decision 077/2023: Significant Adverse Event Reviews and action plans
Authority: Greater Glasgow and Clyde Health Board
Case Ref: 202100823
The Authority was asked for its first 50 Significant Adverse Event Reviews (SAERs) from 2017, together with their action plans. The Authority disclosed the information, but redacted some third-party personal data and information which constituted deceased persons’ health records. The Commissioner was satisfied that, except for a small amount of additional information which the Authority considered could be disclosed, the information redacted from the SAERs and action plans was exempt from disclosure.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(a) and (2)(e)(i) and (ii) (Effect of exemptions); 38(1)(b) and (d), (2A) and (5) (definitions of “data protection principles”, “data subject”, “health record”, “personal data” and “processing”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner)
United Kingdom General Data Protection Regulation (the UK GDPR) articles 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing); 9(1) and (2)(e) (Processing of special categories of personal data)
Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (10), (14)(a), (c) and (d) (Terms relating to the processing of personal data); 204(1) (Meaning of “health professional” and “social work” professional”)
Access to Health Records Act 1990 (the AHRA) section 1(a) and (b) (“Health record” and related expressions); 2 (Health professionals)
The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.
1. On 15 January 2020, the Applicant had made an information request to the Authority. The Applicant asked for the first 50 Serious Adverse Event Reviews (SAERs) from 1 January 2017, together with their action plans. The Applicant referred the Authority to two previous decisions from the Commissioner, Decision 036/2012 Ayrshire and Arran Health Board and Decision 099/2017 Lothian Health Board, both of which dealt with similar information .
2. The Authority took the view that complying with the request would exceed the cost threshold (£600) and so it was not obliged to comply with the response under section 12(1) of FOISA. The Commissioner disagreed and, on 28 April 2021, following an application from the Applicant, issued Decision 055/2021 Greater Glasgow and Clyde Health Board, which required the Authority to provide a new response to the Applicant’s requirement for review other than in terms of section 12(1) of FOISA.
3. The Authority did this on 14 June 2021. It provided the Applicant with redacted versions of the SAERs and action plans.
4. On 8 July 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant was dissatisfied with the level of redactions made by the Authority: it believed that the exemptions had not been applied properly and commented that the public interest was not served if lessons from SAERs are not learned and if the details are hidden from public scrutiny. The Applicant commented that the reports disclosed were not in a readable or acceptable form which showed clearly what happened in these events or what the outcomes were.
5. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.
6. On 3 August 2021, the Authority was notified in writing that the Applicant had made a valid application. The Authority was asked to send the Commissioner the information withheld from the Applicant. The Authority did this and the case was allocated to an investigating officer.
7. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Authority was invited to comment on this application on 10 January 2022 and to answer specific questions, including justifying its reliance on any provisions of FOISA it considered applicable to the information requested. The Authority did this on 14 February 2022. It advised the Commissioner that it was withholding information under the following exemptions:
(i) section 38(1)(b): third party personal data and
(ii) section 38(1)(d): a deceased person’s health record.
8. Although the Authority had applied the exemption in section 30(c) of FOISA (Prejudice to effective conduct of public affairs) at the review stage, it advised the Commissioner that it no longer wished to rely on that exemption.
9. The Authority also advised the Commissioner that it was now willing to disclose a small amount of information which it had previously redacted. In the lack of submissions from the Authority as to why that information was previously considered to be exempt from disclosure, the Commissioner must find that, by withholding the information in question, the Authority breached Part 1 (and, in particular, section 1(1)) of FOISA.
10. The Authority advised the Commissioner that an adverse event can be defined as an event that could have caused, or did result in, harm to people or groups of people., that may have contributed to or resulted in permanent harm, for example unexpected deaths, or intervention required to sustain life. The Authority has a responsibility to ensure that such incidents are appropriately investigated to minimise the risk of recurrence. In these cases, a SAER will be carried out, producing a report which identifies any lessons which can be learned from the incident.
11. According to the Authority, not all SAERs will identify system failures. A review may conclude that the care delivered was appropriate and the event was unavoidable. The potential for learning in these cases should still be recognised and areas of good practice shared appropriately in order to increase the safety of care systems for everyone. The Authority provided the Commissioner with a copy of its policy on the Management of Significant Adverse Events. The policy is also available online.
12. The Authority advised the Commissioner that, in undertaking a SAER, a Review Group will be convened, usually identifying a Lead Investigator, and terms of reference and objectives will be established. The SAER report will identify the process of data gathering and sources of information from which the findings for the review are drawn. The Review team will undertake a detailed review of all appropriate healthcare records and, in some cases, a timeline of events will be constructed from healthcare records.
13. Other sources of information may include (but are not limited to):
(i) interviews and discussion with individuals involved in the event
(ii) statements from individuals involved in the event
(iii) interviews and discussions with family members
(iv) patient’s GP and clinicians with relevant specialist knowledge.
14. The Authority noted that, due to the nature of these events, and the process of investigation, SAERs will contain a significant amount of sensitive information about a patient’s physical or mental health, and information about members of staff.
Commissioner’s analysis and findings
15. The Commissioner’s role here is to determine whether the exemptions applied have been applied appropriately. The Applicant has not suggested that the exemptions should not apply at all, but clearly believes that the exemptions have been applied too broadly.
16. The Commissioner wishes to make it clear that, in determining how the exemptions have been applied, he has had sight of the withheld information.
Section 38(1)(b): third party personal data
17. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is “personal data” (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR.
18. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.
19. In order to rely on this exemption, the Authority must show that the information being withheld is personal data for the purposes of the DPA 2018 and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Article 5(1) of the GDPR.
Is the withheld information personal data?
20. The first question the Commissioner must address is whether the information is personal data for the purposes of section 3(2) of the DPA 2018.
21. The two main elements of personal data are that:
(i) the information must “relate to” a living individual and
(ii) the living individual must be identifiable
22. As can be seen from these tests, information can only be "personal data" if it relates to living individuals. Sadly, a number of the patients who are the subjects of the reports have died and, as a result, the exemption in section 38(1)(b) does not apply to their information. However, in recognition of this, the Authority applied the exemption in section 38(1)(d) (deceased person's health records). This exemption is considered in more detail below.
Does the information “relate to” individuals?
23. Information will “relate to” a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them or has them as its main focus The Authority redacted information from the SAERs and action plans on the basis that it was personal data relating to:
(i) living individuals such as the patient or patient’s family
(ii) staff involved in the investigation and
(iii) staff involved in the adverse event
24. The Authority withheld information that it considered to be the personal data of patients. The Authority noted that the information withheld contains information about identifiable living individuals who are the subject of the SAER. The information relates to the patients as it is about them and has them as its main focus. The information has biographical significance, placing the patient in a particular location and point in time. In addition, the SAERs contain information about the physical, physiological, genetic, mental and social identity of the individuals to whom the SAERs relate, as they describe the care and treatment received by these individuals. In some cases, the personal data extends to information about an individual’s family, or their interaction with family members. Although the patients are not named, there is considerable detailed information in the reports from which identification of the individual patients remain possible. This includes information such as the hospital and war
d in which the patient was treated, medical condition, dates and details of treatment. In some cases, the incident itself is extremely unique which, in and of itself, increases the likelihood of identification.
25. The Authority noted that the information also includes the personal data of staff involved in the teams who carried out the review. It commented that staff involved in review teams, and staff who carried out tasks and recommendations specified in the action plans, are named in the reports together with their job titles and, usually, the hospital or department that is their normal work location. The Authority considered these individuals to be clearly identifiable and that their names, job title and work location was their personal data.
26. The Authority also noted that this information would provide a direct link to the service or speciality and hospital in which a patient has been treated, and an indication of the type of treatment a patient has been receiving. Due to this link, the Authority considered that, in many cases, this would lead to an increased likelihood of patients being identified. The Authority also noted that, although it considered the names, job titles, etc. of the staff involved in reviews to be personal data, the personal data had in certain circumstances been disclosed. This is considered in more detail below.
27. The Authority noted that staff who were directly involved in the incidents which led to the SAERs are not generally named in the SAER reports, but are often referred to as Staff Nurse A, Surgeon B, Doctor C, etc. However, some of the reports use the first letter of the member of staff’s surname. In the Authority’s view, this information, when read in the context of the detail contained in the reports, such as exact timing of various incidents and the ward, department or hospital in which the incident took place would make these individuals identifiable even when they were not named. The Authority advised the Commissioner that it had disclosed this information wherever possible, but, where information increased the likelihood of individuals, such as patients or family members being identified, this had been redacted.
28. The Commissioner is satisfied, for the reasons set out in paragraphs 24 to 27 above, that the information relates to the individuals (patients, staff members, etc.).
Does the information relate to identifiable individuals?
29. For information to be personal data, it must relate to a living individual who can be identified, directly or indirectly, in particular by reference to an identifier (such as a name, identification number, location data or an online identifier) or one or more factors specific to the physical, physiological, genetic, mental. economic, cultural or social identity of the individual (section 3(3) of the DPA 2018).
30. The Court of Justice of the European Union looked at “identifiability” in Breyer v Bundesrepublik Deutschland. The Court of Justice said that the correct test to consider is whether there is a realistic prospect of someone being identified. In deciding whether there is a realistic prospect of identification, account can be taken of information in the hands of a third party. However, there must be a realistic causal chain – if the risk of identification is “insignificant”, the information will not be personal data. (Although this judgment was issued before the General Data Protection Regulation, UK GDPR or DPA 2018 came into effect, the Commissioner is satisfied that the same test applies.)
31. As the Authority has commented, even if, for example, an individual was not named, disclosing other information such as treatment given, date of the incident, the ward, department or hospital could all lead to individuals being identified.
32. As noted above, the Applicant strongly believes that the redactions made to the reports by the Authority are “excessive”. It is concerned that the redactions mean that it is unclear what happened in these events or what the outcomes were.
33. Having read the unredacted versions of the SAERs and action plans, the Commissioner is satisfied that disclosing the information withheld by the Authority under section 38(1)(b) would identify the individuals in question. Information disclosed under FOISA is deemed to be placed into the public domain (and not only to the Applicant). The Commissioner must therefore consider whether there is a realistic prospect of individual being identified, even if they are not named. Given the breadth of the definition in section 3(3) of the DPA 2018 and the likelihood of third parties being able to use information such as that mentioned in paragraph 31, the Commissioner is satisfied that all of the information withheld under section 38(1)(b) is personal data for the purposes of section 3(3) of the DPA 2018.
34. The Commissioner also notes that personal data concerning health is, in line with Article 9(1) of the UK GDPR, considered to be “special category” personal data. Most of the information redacted from the SAERs and action plans comprises the special category personal data of the patients involved.
35. The Commissioner will now go on to consider whether it would be possible for any of the personal data to be disclosed without breaching the data protection principles in Article 5 of the UK GDPR.
Would disclosure contravene any of the data protection principles?
36. Personal data is not exempt from disclosure under FOISA simply because it is personal data. It will, however, be exempt from disclosure, in line with section 38(1)(b) of FOISA (as read with section 38(2)(a)(i) or (b)) if disclosure to a member of the public, otherwise than under FOISA, would contravene one or more of the data protection principles.
37. In this case, the Authority has argued that disclosure would breach the first data protection principle (Article 5(1)(a) of the UK GDPR). This states that personal data shall be processed “lawfully, fairly and in a transparent manner in relation to the data subject”. Here, the data subjects are the patients, relatives, members of staff, etc.
38. "Processing" of personal data is defined in section 3(4) of the DPA 2018. It includes (section 3(4)(d)) disclosure by transmission, dissemination or otherwise making available personal data. The definition therefore covers disclosing information into the public domain in response to a FOISA request.
Special category personal data
39. As noted above, most of the information which has been redacted by the Authority is special category personal data. The Commissioner’s guidance on section 38(1)(b) notes (paragraphs 70 to 72) that Article 9 of the UK GDPR only allows special category personal data to be processed in very limited circumstances. Although Schedule 1 to the DPA 2018 contains a wide range of conditions which allow authorities to process special category data, for the purposes of FOISA, the only situation where it is likely to be lawful to disclose third party special category data in response to an information request is where, in line with Article 9(2)(e) of the UK GDPR, the personal data has manifestly been made public by the data subject. Any public authority relying on this condition must be certain that the data subject made the disclosure with the intention of making the special category data public.
40. In this case, there is nothing to suggest that disclosing information about the patients’ health would comply with Article 9(2)(e). Indeed, as the Authority noted, patients would not have any expectation that the information would be made publicly available and that it would be directly contrary to the requirement for patient confidentiality. The Authority also noted that, in some cases, the individual patient was not aware that an SAER was being undertaken.
41. Consequently, the Commissioner is satisfied that it would be unlawful for the Authority to disclose this information. Disclosing the special category data would breach the first data protection principle. It is therefore exempt from disclosure under section 38(1)(b) of FOISA.
Non-special category personal data
42. The Commissioner must now consider the remaining personal data which has been redacted from the SAERs and action plans and whether disclosing it would breach the first data protection principle.
43. In considering lawfulness, the Commissioner must consider whether any of the conditions in Article 6(1) of the UK GDPR would allow the data to be disclosed. As the Commissioner has noted in his guidance on section 38(1)(b) (paragraph 54), condition (f) is the only condition which could potentially apply in the circumstances of this case.
Condition (f) – legitimate interests
44. Condition (f) states that processing shall be lawful if it is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
45. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.
46. The three tests which must be met before Article 6(1)(f) can be met are as follows:
(i) Does the Applicant have a legitimate interest in the personal data?
(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?
(iii) Even if the processing would be necessary to achieve the legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects which require protection of personal data (in particular where the data subject is a child)?
47. There is no presumption in favour of the disclosure of personal data under the general obligation laid down by section 1(1) of FOISA. Accordingly, the legitimate interests of the Applicant must outweigh the rights and freedoms or legitimate interests of the data subjects before condition (f) will permit the data to be disclosed. If the two are evenly balanced, the Commissioner must find that the Authority was correct to refuse to disclose the personal data to the Applicant.
Is there a legitimate interest in obtaining (non-special category) personal data?
48. There is no definition within the UK GDPR of what constitutes a "legitimate interest", but the Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive. The Commissioner's guidance on section 38 recognises (paragraph 62) that, in some cases, the legitimate interest might be personal to the requester (i.e. the Applicant) but, for most requests, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety.
49. The Commissioner notes that the Applicant is an action group which aims to promote a safe, transparent and accountable NHS in Scotland.
50. In determining whether the Applicant has a legitimate interest in the non-special category personal data redacted from the SAERs and action plans, the Commissioner believes that it is useful to break the information down into three different types: information about patients' relatives or representatives; information about the medical staff who were directly involved in the incidents which led to the SAERs; and information about the staff who were given the task of the carrying out the review and/or ensuring that action plans were complied with.
51. The Commissioner considers that the Applicant has demonstrated a strong legitimate interest in understanding the circumstances surrounding serious adverse events in which the safety or care of patients was, or could have been, compromised. The reviews of such events may well highlight strengths and weaknesses in systems, training, or infrastructure, and ensure that people can learn from what has gone wrong.
52. In addition, the Commissioner is satisfied that the general public has a legitimate interest in obtaining information which would allow scrutiny and understanding of each adverse event and the way in which the Applicant responded, including the steps it took to address any identified failings.
53. However, while there may in general be a legitimate interest in highlighting the strengths and weaknesses of systems, etc., the Commissioner does not consider that this interest requires disclosure of the personal data of patients' relatives or representatives. It is not clear why such disclosure would be necessary, in order to meet the legitimate interest identified. As there is, therefore, no condition in Article 6 of the UK GDPR which would allow this personal data to be disclosed, the Commissioner finds that disclosure would breach the first data protection principle and that, accordingly, the information is exempt from disclosure under section 38(1)(b) of FOISA.
54. As noted above, the medical staff whose personal data is contained within the reports can be separated into two different types: staff who were directly involved in the incidents which led to the SAER and staff who were given the task of the carrying out the review and/or ensuring that action plans were complied with.
55. Given the focus of the Applicant’s campaign work, and the wider interest in the circumstances which led to the incidents, and the reaction to and learning from the incidents, the Commissioner accepts that the Applicant has a legitimate interest in obtaining information about both sets of officials, in relation to their role in the incidents described in the reports.
Is disclosure of (the remaining non-sensitive) personal data necessary?
56. Having established that the Applicant does have a legitimate interest in the withheld personal data which relates to members of staff, the Commissioner must now consider whether its disclosure is necessary for the purposes of those legitimate interests.
57. The Applicant stated that the public has a right to know how many preventable deaths are occurring, in which NHS Boards, what types of incident are occurring and what is being done to prevent similar deaths. It commented that FOISA is the only systematic means of the public finding out this information and stated that there are no credible systems of assessing the performance of NHS Scotland on patient safety.
58. However, the Authority commented that the SAER report and action plan is only part of the process. It advised the Commissioner that, within the Authority, a learning summary template is used, both locally within specific departments, and across the wider organisation. The learning summary focuses on what can be done to prevent reoccurrence, rather than simply highlighting the issue or problem.
59. The Authority also told the Commissioner that its Clinical Governance Unit supports a network of specialist committees which undertake regular analysis of clinical incidents. This includes regular reporting on significant adverse event activity and cross-service learning points, including recommendations for action where appropriate. These are shared at Directorate and Board level. According to the Authority, processes are therefore in place for shared learning from SAERs.
60. The Authority also considered that other information is available which would provide the Applicant with an overview of significant adverse event activity without the need to request the actual SAER reports. For example, the most recent (at the time submissions were received from the Authority) Clinical Governance annual report includes information on the number of SAERs over the last seven years; the most common significant adverse event contributory factors and the most common themes from closed SAERs. Such information cannot be obtained solely from the SAER reports, and so disclosure of the redacted information would not enhance the general interest in making information available to improve accountability and participation.
61. The Authority therefore considered that providing individual SAERs does not fully reflect the organisational and shared learning that takes place following incidents. While it recognised a a legitimate interest in highlighting individual errors, or system weaknesses, the Authority considered that disclosure of individuals’ personal data was not necessary to achieve this.
62. The Commissioner has considered the submissions from both parties carefully in the light of the decision by the UK Supreme Court in South Lanarkshire Council v Scottish Information Commissioner  UKSC 55 . In this case the Supreme Court stated (paragraph 27):
"… a measure would not be necessary if the legitimate aim could be achieved by something less."
63. It is clear that the parties have very different views as to whether the information which is available through other routes is sufficient or whether disclosure of the personal data of staff is necessary to meet the Applicant’s legitimate interests. On balance, the Commissioner considers that disclosure of the identities of the medical staff would permit the fullest possible understanding of the incidents described in the reports and the steps taken afterwards. He cannot identify any viable means of fully meeting the legitimate interests of the Applicant which would interfere less with the privacy of the data subjects (certain medical staff) than providing the withheld personal data. For this reason, the Commissioner is satisfied that disclosure of the information is necessary for the purposes of the Applicant’s legitimate interests.
Would disclosure of (the remaining non-sensitive) personal data be unwarranted?
64. The Commissioner must now consider whether the processing is unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subjects. This test involves a balancing exercise between the legitimate interests of the Applicant and those of the data subjects. Only if the legitimate interests of the Applicant outweigh those of the data subjects can the information be made available without breaching the first data protection principle. Disclosure will always involve some intrusion of privacy, but that intrusion will not always be unwarranted.
65. As noted in paragraphs 25 and 26 above, the Authority disclosed the job titles, etc. of certain staff who were involved in the review teams, and also the names of senior staff in a number of the reports e.g. of consultant medical staff; staff who commissioned the SAERs, staff who signed off the SAER reports and staff who compiled or authored the reports. The personal data of the members of staff who were involved in the significant events has all been redacted.
66. In the Commissioner's guidance on section 38 of FOISA (paragraph 68), he gives some examples of the factors to be considered in carrying out the balancing exercise, including:
(i) the potential harm or distress that may be caused by the disclosure
(ii) whether the individual objected to the disclosure
(iii) the reasonable expectations of the individuals as to whether the information should be disclosed.
67. The Authority commented that disclosing the names of (non-senior) members of staff who participated in SAER investigation, or in tasks related to action plans, would be excessively intrusive. In such cases, the Authority had disclosed the job role on the basis that it is the role of an individual, and therefore the relevant knowledge and skills relating to their job that is of value, and not the name of the individual.
68. The Commissioner notes that the fact that a member of staff was involved in an adverse event does not mean that he or she was responsible for that event or that his or her conduct was in any way improper. There may be situations where that is the case, but such situations will be dealt with through already existing policies regarding employee conduct or malpractice. The Commissioner considers that the use of such policies is more proportionate in order to achieve this legitimate interest than by disclosing the personal data of the relevant members of staff.
69. Overall, the Commissioner considers that it is not proportionate for the Applicant to have access to the personal data of the medical staff who were involved in the incidents which led to the adverse event, given that it would lead to their identification in circumstances where they would certainly not expect to be named.
70. The Commissioner has therefore concluded that the legitimate interests of the Applicant are outweighed by the rights and freedoms of the staff members whose names has been withheld. Consequently, there is no condition in Article 6 of the UK GDPR which would allow the information to be disclosed.
71. Given that disclosure would be unlawful, disclosure would breach the first data protection principle and the personal data which has been redacted is exempt from disclosure under section 38(1)(b) of FOISA.
Section 38(1)(d) – Deceased person’s health record
72. The Authority applied the exemption in section 38(1)(d) of FOISA to some of the information in the SAERs and action plans.
73. Section 38(1)(d) exempts information from disclosure if it constitutes a deceased person’s health record. This is an absolute exemption in that it is not subject to the public interest test set out in section 2(1)(b) of FOISA.
74. Section 38(5) of FOISA states that “health record” has the meaning assigned to it by section 1(1) of the Access to Health Records Act 1990 (“the AHRA”). (The definitions of “health record” and “health professional” are set out in full in Appendix 1.)
Comments from the Authority
75. The Authority noted that each SAER report contains information which has been taken from the healthcare records of the individuals to whom the SAERs relate; each report clearly states that the healthcare records have been reviewed. The information includes, but is not limited to, information such as: age and gender; past medical history; care and treatment; procedures or operations carried out; diagnostic tests performed; cause of death.
76. In addition, each report contains a unique identifier which directly relates to the event as reported on the Authority’s incident reporting system (Datix), from which an individual can be identified. When input into the Datix system, this unique identifier will provide a record of the individual and incident to which the SAER relates, including the name and date of birth of the individual, and a description of the incident, including the identifies of staff members involved in the incident.
77. Information within health records has been created by nurses, doctors and other clinical staff involved in the care and treatment of the individuals to whom the SAERs relate and, as such, as “health professionals” for the purpose of the AHRA.
Comments from the Applicant
78. The Applicant considered that the Authority had made unnecessary redactions to the information. It did not consider that the SAER or action plans constituted a health record and the Authority was in fact trying to cover up what had happened.
The Commissioner’s view
79. The Commissioner has reviewed the information being withheld under section 38(1)(d) of FOISA. While he notes that the Applicant disagrees with the definition of “health record”, the Commissioner is satisfied that the information in question is subject to the exemption in section 38(1)(d), in that it falls within the definition of “health record” in section 1(1) of AHRA. A “health record” does not need to be a standalone document, but is simply a record consisting of information relating to the health of an identifiable individual made by or on behalf of a health professional in connection with the care of that individual.
80. Consequently, the Commissioner finds the information to be exempt from disclosure under section 38(1)(d) of FOISA. As indicated above, this exemption is not subject to the public interest test.
Information to be disclosed
81. As noted at paragraph 8, during the investigation, the Authority advised the Commissioner that it had concluded that certain information could now be disclosed. The Commissioner therefore requires the Authority to disclose this information to the Applicant except insofar as it has already been disclosed.
The Commissioner finds that the Authority generally complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.
The Commissioner finds that, by withholding information which it later concluded could be disclosed, the Authority failed to comply with Part 1 of FOISA. However, he is satisfied that the remainder of the information is exempt from disclosure under section 38(1)(b) or section 38(1)(d) of FOISA.
The Commissioner requires the Authority to disclose the information referred to at paragraph 9, except insofar as it has already been disclosed to the Applicant, by 4 September 2023.
Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Authority has failed to comply. The Court has the right to inquire into the matter and may deal with the Authority as if it had committed a contempt of court.
Scottish Information Commissioner
20 July 2023
Appendix 1: Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”
(6) This section is subject to sections 2, 9, 12 and 14.
2 Effect of exemptions
(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that –
(a) the provision does not confer absolute exemption; and
(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption –
(e) in subsection (1) of section 38 –
(i) paragraphs (a), (c) and (d); and
(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.
38 Personal information
(1) Information is exempt information if it constitutes-
(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);
(d) a deceased person's health record.
(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -
(a) would contravene any of the data protection principles, or
(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(5) In this section-
"the data protection principles" means the principles set out in –
(a) Article 5(1) of the UK GDPR, and
(b) section 34(1) of the Data Protection Act 2018;
"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
"health record" has the meaning assigned to that term by section 1(1) of the Access to Health Records Act 1990 (c.23); and
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);
“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).
(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.
47 Application for decision by Commissioner
(1) A person who is dissatisfied with -
(a) a notice under section 21(5) or (9); or
(b) the failure of a Scottish public authority to which a requirement for review was made to give such a notice.
may make application to the Commissioner for a decision whether, in any respect specified in that application, the request for information to which the requirement relates has been dealt with in accordance with Part 1 of this Act.
(2) An application under subsection (1) must -
(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used for subsequent reference (as, for example, a recording made on audio or video tape);
(b) state the name of the applicant and an address for correspondence; and
(c) specify –
(i) the request for information to which the requirement for review relates;
(ii) the matter which was specified under sub-paragraph (ii) of section 20(3)(c); and
(iii) the matter which gives rise to the dissatisfaction mentioned in subsection (1).
UK General Data Protection Regulation
Article 5 Principles relating to processing of personal data
1 Personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)
Article 6 Lawfulness of processing
1 Processing shall be lawful only if and to the extent that at least one of the following applies:
f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
Article 9 Processing of special categories of personal data
1 Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2 Paragraph 1 shall not apply if one of the following applies:
e. processing relates to personal data which are manifestly made public by the data subject;
Data Protection Act 2018
3 Terms relating to the processing of personal data
(2) “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).
(3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to –
(a) an identifier such as a name, an identification number, location data or an online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
(4) “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as –
(d) disclosure by transmission, dissemination or otherwise making available,
(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).
(14) In Parts 5 to 7, except where otherwise provided –
(a) references to the UK GDPR are to the UK GDPR read with Part 2;
(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;
(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.
204 Meaning of “health professional” and “social work professional”
(1) In this Act “health record” means any of the following –
(a) a registered medical practitioner;
(b) a registered nurse or midwife;
(c) a registered dentist within the meaning of the Dentists Act 1984 (see section 53 of that Act);
(d) a registered dispensing optician or a registered optometrist within the meaning of the Opticians Act 1989 (see section 36 of that Act);
(e) a registered osteopath with the meaning of the Osteopaths Act 1993 (see section 41 of that Act);
(f) a registered chiropractor within the meaning of the Chiropractors Act 1994 (see section 43 of that Act);
(g) a person registered as a member of a profession to which the Health Professions Order 2001 (S.I. 2002/254) for the time being extends;
(h) a registered pharmacist or a registered pharmacy technician within the meaning of the Pharmacy Order 2010 (S.I. 2010/231) (see article 3 of that Order);
(i) a registered person within the meaning of the Pharmacy (Northern Ireland) Order 1976 (S.I. 1976/1213 (N.I. 22)) (see Article 2 of that Order);
(j) a child psychotherapist;
(k) a scientist employed by a health service body as head of a department.
Access to Health Records Act 1990
1 “Health record” and related expressions
(1) In this Act “health record” means a record which - person who is dissatisfied with -
(a) consists of information relating to the physical or mental health of an individual who can be identified from that information, or from that and other information in the possession of the holder of the record; and
(b) has been made by or on behalf of a health professional in connection with the care of that individual;
2 Health professionals
In this Act, “health professional” has the same meaning as in the Data Protection Act 2018 (see section 204 of that Act).