Home Decisions

Decision 089/2022

Decision 089/2022: Medical qualifications of named individuals

Authority: East Lothian Council
Case Ref: 202200146

Summary

The Applicant asked the Authority for the medical qualifications of specific employees.  The Authority refused to confirm nor deny whether the requested information was held by it.  The Commissioner investigated and found that the Authority was entitled to refuse to confirm or deny whether it held the information.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(a) and 2(e)(ii) (Effect of exemptions); 18(1) (Further provisions as respects responses to request); 38(1)(b), (2A)(a), (5) (definitions of “the data protection principles”, “data subject”, “personal data”, “processing” and “the UK GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner); 49(3)(a) (Commissioner’s decision)

United Kingdom General Data Protection Regulation (the UK GDPR) articles 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 3 January 2022, the Applicant made a request for information to the Authority.  He asked for “a full copy of all the medical qualifications that [specific] employees are in possession of and have been registered with the NHS as being fully trained medical professionals”. 

2. The Authority responded on 26 January 2022.  In doing so, the Authority applied section 18 of FOISA and refused to confirm or deny whether the requested information existed or was held.  The Authority stated that, in this instance, the information required consists of personal data, which, if held, would be exempt under section 38(1)(b) of FOISA. It was the Authority’s opinion that to confirm whether or not this information is held would disclose personal data about its employees into the public domain.

3. On 28 January 2022, the Applicant wrote to the Authority requesting a review of its decision.  The Applicant stated that he was dissatisfied with the decision because he considered that he was entitled to a full copy of the qualifications due to the fact that the Authority was “using them in a court of law, and stating under oath that these persons are of a fit and lawfully qualified to be making … allegations against [him]”.  

4. The Authority notified the Applicant of the outcome of its review on 31 January 2022.  The Authority upheld its original decision to apply section 18 of FOISA. The Authority stated that responding other than by applying section 18 would, in and of itself, constitute personal data in respect of the individuals.  Therefore, it concluded that there appeared to be no means by which it could respond to the Applicant’s request without potentially breaching the Data Protection principles in respect of these staff members.  The Authority also argued that disclosure of the personal data in this case, if it were held, would significantly damage the duty of trust and confidence between the Council and its employees and, in its view, the public interest is better served by maintaining that duty.

5. The Authority did however explain that, because the request for review rests on the ongoing court case in which the Applicant is engaged, that would be a more appropriate forum to address the issue. 

6. On 3 February 2022, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  The Applicant was dissatisfied with the outcome of the Authority’s review.  He considered that if the Authority was making a judgement on him he was entitled to a copy of the qualifications.  The Applicant further clarified his reasons of dissatisfaction on 4 February 2022 when he commented that the Authority was deliberately withholding the information to deny him a fair trial.   

Investigation

7. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation. 

8. On 1 March 2022, the Authority was notified in writing that the Applicant had made a valid application.  The case was allocated to an investigating officer. 

9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Authority was invited to comment on this application and to answer specific questions. These related to its reasons for neither confirming nor denying whether they held the information, or whether it existed, and to the potential application of the exemption cited in their response to the Applicant.

Commissioner’s analysis and findings

10. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.  

11. The Authority is relying on section 18 of FOISA, read in conjunction with the exemption in section 38(1)(b) of FOISA.  

Section 18(1) – “neither confirm nor deny”

12.    Section 18(1) of FOISA allows public authorities to refuse to confirm or deny whether they hold information in the following limited circumstances:

  •  a request has been made to the authority for information, which may or may not be held by it;
  • if the information existed and were held by the authority (and it need not be), it could give a refusal notice under section 16(1) of FOISA, on the basis that the information was exempt information by virtue of any exemptions in sections 28 to 35, 38, 39(1) or 41 of FOISA; and
  • the authority considers that to reveal whether the information exists or is held by it would be contrary to the public interest.

13. Where section 18(1) is under consideration, the Commissioner must ensure that his decision does not confirm one way or the other whether the information requested actually exists or is held by the authority.  This means he is unable to comment in any detail on the Authority’s reliance on any of the exemptions referred to, or on other matters that could have the effect of indicating whether or not the information existed or was held by the Authority.

Section 38(1)(b) – Personal information

14. The Commissioner will first consider whether, if the information existed and were held by the Authority, the Authority would be justified in refusing to disclose the information by virtue of the exemption in section 38(1)(b) of FOISA.

15. Section 38(1)(b), read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is “personal data”, as defined in section 3(2) of the DPA 2018 and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR.

Would the information be personal data? 

16. “Personal data” is defined in section 3(2) of the DPA 2018 as “any information relating to an identified or identifiable living individual”.  Section 3(2) of the DPA 2018 defines “identifiable living individual” as “a living individual who can be identified, directly or indirectly, in particular with reference to-

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.”

17. Within his information request to the Authority, the Applicant provided a copy of a Minute from a specific meeting.  The Minute contained a record of all of the individuals in attendance at that meeting.  It was about those named individuals that the Applicant requested information.  

18. The Authority considered the information, if held, would be “personal data” given that it relates to specific named individuals who have been identified (by name) by the Applicant in his request.  As such, the Authority submitted that the data subjects are both identified and identifiable.

19. The Commissioner notes that, as mentioned above, the Applicant’s information request refers to named individuals who attended a specific meeting, and it is about them he is seeking information.  Specifically, a copy of the medical qualifications they hold.

20.  The Commissioner is satisfied that, if this information did exist and was held by the Authority, it would clearly relate to identified or identifiable living individuals.  The Commissioner therefore accepts that, if it existed and were held, the information would be personal data as defined in section 3(2) of the DPA 2018.

Would disclosure contravene one of the data protection principles?

21.    The Authority argued that disclosing the personal data, if it existed and were held, would breach the first, second and sixth data protection principles: 

  • The first data protection principle requires personal data to be processed “lawfully, fairly and in a transparent manner in relation to the data subject” (Article 5(1)(a) of the UK GDPR).  
  • The second data protection principle requires that personal data to be collected for specified, explicit and legitimate purposes and not further processed in a manner which is incompatible with those purposes (Article 5(1)(b) of the UK GDPR).
  • The sixth data protection principle requires that personal data to be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing using appropriate technical and organisational measures (Article 5(1)(f) of the UK GDPR).

22. The definition of “processing” is wide and includes (section 3(4)(d) of the DPA 2018) “disclosure by transmission, dissemination or otherwise making available”.  For the purposes of FOISA, personal data are processed when disclosed in response to a request.  

23. The Commissioner will first consider whether disclosure would breach the first data protection principle.

Lawful processing: Article 6(1)(f) of the UK GDPR

24. In considering lawfulness, the Commissioner must consider whether any of the conditions in Article 6(1) of the UK GDPR would allow the personal data to be disclosed, if it existed and were held.

25. The Commissioner considers that condition (f) is the only one which could potentially apply, assuming the personal data existed and were held. 

26. The tests which must be met before Article 6(1)(f) could be met are as follows:

(i) Would the Applicant (or wider public) have a legitimate interest in obtaining personal data, if held?

(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subject?

27. Although Article 6(1) states that this condition cannot apply to processing carried out by a public authority in performance of its tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

28. The Authority did not consider that any of the conditions in Article 6(1) of the UK GDPR would allow it to lawfully disclose the personal data, if it existed and were held. However, at the invitation of the Commissioner, the Authority provided detailed comments on Article 6(1)(f).

Would the Applicant (or wider public) have a legitimate interest in obtaining the personal data, if held?

29. The Authority did not consider that the Applicant had demonstrated a legitimate interest in obtaining the information, if it was held.  The Authority acknowledged that the Applicant had described the use of the information requested in a court of law, and indicated that it appeared reasonable for it to conclude that the Applicant wished to make use of the information within the context of ongoing court proceedings.  However, the Authority submitted that the legal routes and mechanisms of the court would be the most appropriate means of addressing the issue.

30. The Authority recognised that the Applicant considers that they would benefit from disclosure of the information, but it did not share that view and could not understand how the proposed processing might be of benefit to any other party.  Nor did the Authority consider there to be any wider benefits of the processing to the public. 

31. Having considered the nature of the information covered by the request, together with the submissions from the Applicant, the Commissioner is satisfied that the Applicant is pursuing a legitimate interest in seeking this information. He is also satisfied that this legitimate interest would embrace a wider public interest, in being satisfied that, where employees of public authorities are acting in an official and professional capacity when making statements or allegations, they have the appropriate professional qualifications to enable them to do so.  The Commissioner is therefore satisfied that, if it existed and were held, the Applicant would have a legitimate interest in obtaining the personal data.

Would disclosure be necessary?

32. The next question is whether disclosure of the personal data (if held) would be necessary to achieve that legitimate interest.  “Necessary” means “reasonably” rather than “absolutely” or “strictly” necessary.  When considering whether disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the Applicant’s legitimate interests could reasonably be met by means which interfered less with the privacy of the data subject.

33. The Authority argued that, because the Applicant has not demonstrated a clear or specific purpose or objective for the data processing, this makes it unclear as to whether the proposed data processing might be necessary to fulfil such a purpose, if the information exists.  

34. It is the Authority’s view that there is a more reasonable route available to the Applicant, via the court process, which might – if relevant- identify an alternative lawful route to address the issue.  As a consequence, the Authority concluded that the necessity test was not met in relation to the processing of the personal data requested, if it were held.

35. In reaching his view, the Commissioner has been mindful that the disclosure of personal data must be as minimal as possible to fulfil the legitimate interest identified.  

36. At the time of his request for information, there were live court proceedings underway, which offered an alternative route to the Applicant to either seek the information he required or have his concerns dealt with, which did not necessitate the disclosure of personal data (if held) into the public domain, which would be the effect if the information (if held) were disclosed under FOISA.  As a consequence, the Commissioner considers that those routes could and should have been used as a means of fulfilling the Applicant’s legitimate interest.

37. As such, the Commissioner has concluded that disclosure of the personal information in response to the Applicant’s information request, if it exists and is held, would not be necessary to fulfil the Applicant’s legitimate interest in this case.

38. Because the Commissioner has concluded that disclosure is not necessary, he is not required to go on to consider the final test, as to whether the legitimate interests of the Applicant would be overridden by the interests or fundamental rights and freedoms of the data subjects (if the information exists and were held).

39. In all the circumstances of this particular case, the Commissioner concludes that there are no conditions in Article 6(1) of the UK GDPR which could be met in relation to the personal data sought by the Applicant (assuming it existed and were held).  Disclosure would therefore be unlawful.

Fairness and transparency

40. Given that the Commissioner has concluded that processing of the personal data, if existing and held, would be unlawful, he is not required to go on to consider whether disclosure of such personal data would otherwise be fair and transparent in relation to the data subjects.

Conclusion on the data protection principles

41. For the reasons set out above, the Commissioner is satisfied that disclosure of any relevant personal data, if it existed and were held, would breach the data protection principle in Article 5(1)(a) of the UK GDPR.  Having reached this conclusion, he need not go on to consider whether disclosure would also breach the data protection principles in Articles 5(1)(b) and 5(1)(f) of the UK GDPR.

42. In all the circumstances, the Commissioner is satisfied that any such personal data, if it existed and were held would be exempt from disclosure under section 38(1)(b) of FOISA and that the Authority could give a refusal notice under section 16(1) of FOISA, on the basis that the information would be so exempt.  

Section 18(1) – The public interest

43. The Commissioner must now consider whether the Authority was entitled to conclude that it would be contrary to the public interest to reveal whether the information existed or was held.

Authority’s submissions on the public interest test

44. The Authority argued that, because revealing whether the information existed would breach the data protection principles in the UK GDPR, revealing whether the information existed would be contrary to the public interest.  

45. The Authority also considered a number of other factors when seeking to determine whether it would be contrary to the public interest to reveal whether the information existed or was held, and in each case, it concluded that such disclosure would not fulfil any of these factors in this case.

Commissioner’s views on the public interest test – section 18(1)

46. The test the Commissioner must consider is whether (having already concluded that the information, if it existed and were held, would be exempt from disclosure) it would have been contrary to the public interest to reveal whether the information existed or was held.

47. The Commissioner has fully considered all of the submissions from the Applicant and recognises, as he has already in this Decision Notice, that there is a legitimate interest in ensuring that, where an employee of a public authority makes particular statements or allegations in the course of their professional duties, they have the appropriate professional qualifications to enable them to do so.

48. However, the Commissioner is satisfied that the action of confirming or denying whether the information existed or was held would have the effect of revealing personal data which would, of itself, lead to the Authority breaching its duties as a data controller under data protection legislation.  In the circumstances, the Commissioner must find that it would be contrary to the public interest for the Authority to reveal whether it held the requested information, or whether the information existed.

49. Consequently, the Commissioner is satisfied that the Authority was entitled to refuse to confirm or deny, whether the information requested by the Applicant existed or was held, in accordance with section 18(1) of FOISA.

Decision 

The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Daren Fitzhenry
Scottish Information Commissione
r

28 July 2022

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”

(6) This section is subject to sections 2, 9, 12 and 14.

2  Effect of exemptions 

(1)  To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that – 

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption – 

(e) in subsection (1) of section 38 – 

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

18 Further provision as respects responses to request

(1) Where, if information existed and was held by a Scottish public authority, the authority could give a refusal notice under section 16(1) on the basis that the information was exempt information by virtue of any of sections 28 to 35, 38, 39(1) or 41 but the authority considers that to reveal whether the information exists or is so held would be contrary to the public interest, it may (whether or not the information does exist and is held by it) give the applicant a refusal notice by virtue of this section.

38     Personal information 

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

 (5) In this section-

"the data protection principles" means the principles set out in – 

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018; 

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).

(5A)    In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

47 Application for decision by Commissioner

(1) A person who is dissatisfied with -

(a) a notice under section 21(5) or (9); or

(b) the failure of a Scottish public authority to which a requirement for review was made to give such a notice.

may make application to the Commissioner for a decision whether, in any respect specified in that application, the request for information to which the requirement relates has been dealt with in accordance with Part 1 of this Act.

(2) An application under subsection (1) must - 

(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used for subsequent reference (as, for example, a recording made on audio or video tape);

(b) state the name of the applicant and an address for correspondence; and

(c) specify – 
    (i)    the request for information to which the requirement for review relates;

    (ii)    the matter which was specified under sub-paragraph (ii) of section 20(3)(c);    and

    (iii_    the matter which gives rise to the dissatisfaction mentioned in subsection (1).

    …

49 Commissioner’s decision

(3) In any other case, the Commissioner must - 

(a) give that authority notice in writing of the application and invite its comments; and 

… 

UK General Data Protection Regulation

Article 5    Principles relating to processing of personal data 

1 Personal data shall be:

    a.    processed lawfully, fairly and in a transparent manner in relation to the data subject         (“lawfulness, fairness and transparency”)

    …

Article 6    Lawfulness of processing 

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

    …
    f.    processing is necessary for the purposes of the legitimate interests pursued by the         controller or by a third party, except where such interests are overridden by the             interests or fundamental rights and freedoms of the data subject which require the         protection of personal data, in particular where the data subject is a child.

Data Protection Act 2018

3 Terms relating to the processing of personal data 

    …

    (2)    “Personal data” means any information relating to an identified or identifiable living         individual (subject to subsection (14)(c)).

    (3)    “Identifiable living individual” means a living individual who can be identified, directly         or indirectly, in particular by reference to – 

        (a)    an identifier such as a name, an identification number, location data or an             online identifier, or

        (b)    one or more factors specific to the physical, physiological, genetic, mental,             economic, cultural or social identity of the individual.

    (4)    “Processing”, in relation to information, means an operation or set of operations             which is performed on information, or on sets of information, such as – 

        …

        (d)    disclosure by transmission, dissemination or otherwise making available,

        …

(5) “Data subject” means the identified or identifiable living individual to whom personal           data relates.

(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

(14) In Parts 5 to 7, except where otherwise provided – 

    (a)    references to the UK GDPR are to the UK GDPR read with Part 2;

    …

(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;

(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.