Decision 099/2017: ASAP-NHS and Lothian Health Board Significant Adverse Event Reviews Reference No: 201601936 Decision Date: 29 June 2017 Summary NHS Lothian was asked for copies of Significant Adverse Event Reviews (SAERs) and associated action plans carried out in 2013. NHS Lothian provided copies of the SAERs and action plans, but it withheld personal data. The Commissioner investigated and found that, while NHS Lothian was entitled to make many of the redactions it had, it had wrongly identified some information as personal data. She required NHS Lothian to provide new versions of the SAERs and action plans which disclosed the names of the officials who conducted the reviews and other information that was not personal data.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e) (Effect of exemptions); 16(1) (Refusal of request); 38(1)(b) and (d) and (2)(a)(i) and (b) and (5) (definitions of "the data protection principles", "data subject", "personal data" and "health record") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provision) (definition of personal data); 2(e), (g) and (h) (Sensitive personal data); Schedules 1 (The data protection principles, Part 1 - the principles) (the first data protection principle); 2 (Conditions relevant for the purposes of the first principle: processing of any personal data) (condition 6); 3 (Conditions relevant for purposes of the first principle: processing of sensitive personal data (condition 1))

Access to Health Records Act 1990 section 1(1)(a) and (b) ("Health record" and related expressions)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

All references in this decision to "the Commissioner" are to Margaret Keyse, who has been appointed by the Scottish Parliamentary Corporate Body to discharge the functions of the Commissioner under section 42(8) of FOISA.

Background

1. ASAP-NHS is a citizen action group set up to promote a safe, transparent and accountable NHS in Scotland. On 10 August 2016, ASAP-NHS made an information request to Lothian Health Board (NHS Lothian). The information requested was:

electronic copies of the first 50 Critical Incident Reports (CIRs)/Significant Adverse Event Reports (SAERs) in chronological numbered order prepared in calendar year 2013 by NHS Lothian, together with the action plans for each of the CIRs/SAERs.

2. NHS Lothian responded on 2 September 2016. It explained that only 39 of the 50 cases had full SAER reports, but there was alternative documentation for the remaining 11 cases. It provided ASAP-NHS with redacted versions of all of the requested information. It notified ASAP-NHS that it was withholding information from the reports under section 38(1)(b) of FOISA (Personal information).

3. On 23 September 2016, ASAP-NHS wrote to NHS Lothian requesting a review of the way it had responded to the request. ASAP-NHS argued that the documents had been excessively redacted to the extent that they failed to indicate the nature of each critical incident.

4. NHS Lothian notified ASAP-NHS of the outcome of its review on 18 October 2016. It provided ASAP-NHS with another copy of each report, redacted as before, but it also provided ASAP-NHS with information showing the relevant service area for each SAER (e.g. Mental Health; Medicine of the Elderly) and the total number of SAERs for each service area. NHS Lothian reiterated that it was withholding information from the SAERs under section 38(1)(b) of FOISA.

5. On 21 October 2016, ASAP-NHS applied to the Commissioner for a decision in terms of section 47(1) of FOISA. ASAP-NHS again argued that NHS Lothian had made excessive redactions, withholding more information than was permitted by FOISA.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that ASAP-NHS made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to her for a decision.

7. On 7 December 2016, NHS Lothian was notified in writing that ASAP-NHS had made a valid application. NHS Lothian was asked to send the Commissioner the information withheld from ASAP-NHS. NHS Lothian provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. NHS Lothian was invited to comment on this application and answer specific questions including justifying its reliance on any provisions of FOISA it considered applicable to the information requested.

Commissioner's analysis and findings

9. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both ASAP-NHS and NHS Lothian. She is satisfied that no matter of relevance has been overlooked.

Withheld information

10. NHS Lothian is withholding information from the first 50 adverse events reported on its DATIX System with a severity of major harm or death, from 1 January 2013, along with any associated improvement or action plans. Only 39 of the 50 adverse events have full SAERs, with alternative documentation being included for the remaining 11 adverse events.

11. In this decision notice, the Commissioner will use the term "SAER" when referring to the reports for each of the 50 adverse events, and she will use the term "action plan" when referring to any of the improvement or action plans that are associated with a particular SAER.

12. During the investigation, NHS Lothian acknowledged that the original redactions it had made were too extensive. NHS Lothian provided the Commissioner with new copies of each document, re-redacted to disclose additional information. NHS Lothian indicated that it was content for these newly re-redacted versions to be disclosed to ASAP-NHS. NHS Lothian confirmed that it was withholding the redacted information under section 38(1)(b) and (d) of FOISA.

13. The Commissioner has carefully reviewed the re-redacted documents provided by NHS Lothian. They disclose significantly more information than the original redacted versions. In relation to the information which was originally withheld from ASAP-NHS, but which NHS Lothian agreed, during the investigation, should have been disclosed, the Commissioner finds that NHS Lothian wrongly applied the exemption in section 38(1)(b) to information which, in the context of the redacted document, was not personal data.

14. The Commissioner will now go on to consider the information in the re-redacted reports that NHS Lothian is still withholding from ASAP-NHS under sections 38(1)(b) and (d) of FOISA.

Section 38(1)(b) - Personal data

15. Under section 38(1)(b) of FOISA, as read with section 38(2)(a)(i) or (b), information is exempt from disclosure if it is personal data and its disclosure would breach one or more of the data protection principles contained in the DPA. This is an absolute exemption in that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

Is the withheld information in the re-redacted SAERs and action plans personal data?

16. Personal data are defined in section 1(1) of the DPA as data which relate to a living individual who can be identified (a) from those data or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (the definition is set out in full in Appendix 1; the interpretation of part (b) of the definition is considered in more detail below).

17. ASAP-NHS has stated that it is not seeking personal data. It has argued that the exemption in section 38(1)(b) does not apply to the information it has requested because it is not seeking personal data.

18. NHS Lothian explained that it was withholding information that could lead to the identification of individuals mentioned in the SAERs and action plans. Having read the reports, the Commissioner notes that they contain the personal details of patients, including their medical treatment, and references to medical staff, family members or patient representatives.

19. As noted above, "personal data" only relates to living individuals. Sadly, a number of the patients who are the subjects of the reports have died and, as a result, the exemption in section 38(1)(b) does not apply to their information. However, in recognition of this, NHS Lothian applied the exemption in section 38(1)(d) (a deceased person's health records) and this is considered in more detail below.

20. For information to be personal data, living individuals must be identifiable. Patients are generally not named in the reports but are referred to as "the patient". However, given the detail in the reports about the patients (e.g. specific illnesses, dates and details of treatment, references to stays in hospitals, moves from other parts of the country), identification of the individual patients remains possible. In coming to this conclusion, the Commissioner has taken account of recital 26 to the EU Directive on which the DPA is based[1] (the Directive), which states that, in determining whether a person is identifiable, account should be taken of all the means likely reasonably to be used to identify the individual.

21. Given that patients could be identified from the reports, it follows that patients' relatives or representatives could also be identified.

22. The medical staff to whom reference is made in the reports fall into two groups: those who were involved in the original incidents, and those who reviewed the adverse events or were tasked with carrying out the actions specified in the action plans.

23. The position is simple with the staff who were tasked with carrying out the review and the actions specified in the action plans. These individuals are named in the reports, and their job titles are usually given. They are clearly identifiable.

24. Matters are not so straightforward, however, when it comes to the staff who were involved in the incidents which led to the reviews: generally, they are not named in the reviews, but are instead referred to, for example, as "ward doctor", "consultant" or "staff nurse". However, in recognition of the requirements of recital 26 to the Directive, and given the breadth of detail contained in the reports (e.g. the exact timing of various incidents and the ward in which the incident took place), the Commissioner is satisfied that the staff referred to in the reports are identifiable, even when they are not named.

25. ASAP-NHS considers that the information redacted by NHS Lothian goes well beyond the definition of personal data. However, the Commissioner takes the view that the information withheld in the re-redacted reports is all personal data. She is satisfied that the information relates to identifiable individuals. The information is clearly about the individuals concerned, is linked to them and has some biographical significance for them. It is therefore the individuals' personal data.

Would disclosure contravene the first data protection principle?

26. Personal data is not exempt from disclosure under FOISA simply because it is personal data. It will, however, be exempt from disclosure, in line with section 38(1)(b) of FOISA (as read with section 38(2)(a)(i) or (b)) if disclosure to a member of the public, otherwise than under FOISA, would contravene one or more of the data protection principles.

27. The first data protection principle states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 (to the DPA) is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 (also to the DPA) is met.

Sensitive personal data

28. The definition of sensitive personal data is set out in section 2 of the DPA. In terms of section 2(e), personal data consisting of information as to a data subject's physical or mental health or condition is sensitive personal data. It is therefore clear that all information relating to the patients is sensitive personal data. The reports also include some references to the health or physical condition of other individuals, such as members of staff, and this is also sensitive personal data for the purposes of the DPA.

29. Similarly, the reports contain a small amount of information relating to criminal offences, and this information is also sensitive personal data in terms of sections 2(g) and (h) of the DPA (see Appendix 1 for the full definitions).

30. As noted above, for sensitive personal data to be disclosed under FOISA, at least one of the conditions in both Schedule 2 and Schedule 3 to the DPA must be capable of being fulfilled. Given that the conditions in Schedule 3 are, intentionally, much more stringent than those in Schedule 2, the Commissioner considers it appropriate to look at these first.

31. NHS Lothian argued that there were no conditions in Schedule 3 to the DPA which permitted the disclosure of the sensitive personal data it was withholding.

32. The Commissioner notes that the first condition in Schedule 3 allows sensitive personal data to be processed where the data subject has given explicit consent to the processing of the personal data. It should be noted here that "processing", in response to an information request made under FOISA, means disclosing the information into the public domain.

33. The Commissioner has not received any evidence to show that individuals were asked to consent to the processing of their sensitive personal data and she is satisfied, given the context and number of the reports, that it would not have been appropriate for such consent to have been sought. Having considered the remaining conditions in Schedule 3 (including the orders made under condition 9 of the Schedule), the Commissioner has concluded that there are no conditions in the Schedule which would permit the sensitive personal data to be disclosed. As such, given the requirement to find a condition in both Schedules 2 and 3, she finds that disclosure of the sensitive personal data would breach the first data protection principle and that the sensitive personal data is accordingly exempt from disclosure under section 38(1)(b) of FOISA.

Non-sensitive personal data

34. NHS Lothian has argued that the non-sensitive personal data it is withholding could, when combined with the other information it is prepared to disclose in the re-redacted reports, make identification of individuals very likely, and so it remains exempt under section 38(1)(b) of FOISA.

35. Given that the remaining personal data under consideration is not sensitive personal data, disclosure is permitted if any condition in Schedule 2 to the DPA can be met.

Can any of the conditions in Schedule 2 be met?

36. When considering the conditions in Schedule 2, the Commissioner has noted Lord Hope's comment in the case of Common Services Agency v Scottish Information Commissioner [2008] UKHL 47[2], that the conditions required careful treatment in the context of a request for information under FOISA, given that they were not designed to facilitate the release of information, but rather to protect personal data from being processed in a way that might prejudice the rights, freedoms or legitimate interest of the data subject (i.e. the person or persons to whom the data relate).

37. NHS Lothian has argued that the only condition in Schedule 2 which might be relevant is Condition 6. Condition 6 allows personal data to be processed if the processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subjects.

38. There are, therefore, a number of different tests which must be satisfied before condition 6 can be met. These are:

(i) Does ASAP-NHS have a legitimate interest in obtaining the personal data?

(ii) If so, is the disclosure necessary to achieve these legitimate interests? In other words, is the processing proportionate as a means and fairly balanced as to ends, or could these interests be achieved by means which interfere less with the privacy of the data subjects (i.e. the individuals to whom the data relate)?

(iii) Even if the processing is necessary for the legitimate interests of ASAP-NHS, would the disclosure nonetheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects?

39. There is no presumption in favour of the release of personal data under the general obligations laid down by section 1(1) of FOISA. Accordingly, the legitimate interests of ASAP-NHS must outweigh the rights and freedoms or legitimate interests of the data subjects before condition 6 will permit disclosure. If the two are evenly balanced, the Commissioner must find that NHS Lothian was correct to refuse to disclose the personal data to ASAP-NHS.

Does ASAP-NHS have a legitimate interest in obtaining the personal data?

40. There is no definition within the DPA of what constitutes a "legitimate interest", but the Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive. The Commissioner's published guidance[3] on section 38 states:

"In some cases, the legitimate interest might be personal to the applicant - e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety."

41. The Commissioner notes that ASAP-NHS is an action group which aims to promote a safe, transparent and accountable NHS in Scotland. The ASAP-NHS website[4] states that there is a requirement in Scotland for the NHS to be regulated by an independent body. ASAP-NHS indicates that one of the reasons for establishing an independent regulator would be to prevent avoidable deaths and to speak up in the interests of patient safety.

42. In determining whether ASAP-NHS has a legitimate interest in the non-sensitive personal data in the re-redacted reports, the Commissioner believes that it is useful to break the information down into three different types: information about patients' relatives or representatives; information about the medical staff who were directly involved in the incidents which led to the SAER; and information about the staff who were given the task of the carrying out the review and/or ensuring that action plans were complied with.

43. The Commissioner considers that ASAP-NHS has demonstrated a strong legitimate interest in understanding the circumstances surrounding serious adverse events in which the safety or care of patients was, or could have been, compromised. The reviews of such events may well highlight strengths and weaknesses in systems, training, or infrastructure, and ensure that people can learn from what has gone wrong.

44. In addition, the Commissioner is satisfied that the general public has a legitimate interest in obtaining information which would allow scrutiny and understanding of each adverse event and the way in which NHS Lothian responded, including the steps it took to address any identified failings.

45. However, while there may in general be a legitimate interest in highlighting the strengths and weaknesses of systems, etc., the Commissioner does not consider that this interest requires disclosure of the personal data of patients' relatives or representatives. It is not clear why such disclosure would be necessary, in order to meet the legitimate interest identified. As condition 6 of Schedule 2 cannot be met in relation to this information, the Commissioner finds information relating to patients' relatives or representatives to be exempt from disclosure under section 38(1)(b) of FOISA.

46. As noted above, the medical staff whose personal data is contained within the reports can be separated into two different types: staff who were directly involved in the incidents which led to the SAER and staff who were given the task of the carrying out the review and/or ensuring that action plans were complied with.

47. Given the focus of ASAP-NHS's campaign work, the Commissioner accepts that it has a legitimate interest in obtaining information about both sets of officials, in relation to their role in the incidents described in the reports.

Is disclosure of the information necessary for the purposes of these legitimate interests?

48. Having established that ASAP-NHS does have a legitimate interest in the withheld personal data which relates to members of staff, the Commissioner must now consider whether its disclosure is necessary for the purposes of those legitimate interests.

49. In its submissions, ASAP-NHS argued that each year there are more than 5,000 particular deaths reported to COPFS, and that most of the categories for reporting are on patient safety. ASAP-NHS argued that the only way to know the circumstances of these avoidable deaths is to seek the information using freedom of information legislation.

50. The Commissioner has considered the submissions from both parties carefully and in the light of the decision by the Supreme Court in the case of South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55[5]. In this case the Supreme Court stated (at paragraph 27 of the judgment):

"… A measure which interferes with a right protected by Community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less."

51. The Commissioner considers that disclosure of the identities of the medical staff would permit the fullest possible understanding of the incidents described in the reports and the steps taken afterwards. She cannot identify any viable means of fully meeting the legitimate interests of ASAP-NHS which would interfere less with the privacy of the data subjects (the medical staff) than providing the withheld personal data. For this reason, the Commissioner is satisfied that disclosure of the information is necessary for the purposes of ASAP-NHS's legitimate interests.

Would disclosure be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subjects?

52. The Commissioner must now consider whether the processing is unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subjects. This test involves a balancing exercise between the legitimate interests of ASAP-NHS and those of the data subjects (staff who were directly involved in the incidents which led to the SAER and staff who were given the task of the carrying out the review and/or ensuring that action plans were complied with). Only if the legitimate interests of ASAP-NHS outweigh those of the data subjects can the information be made available without breaching the first data protection principle.

53. In the Commissioner's guidance[6] on section 38 of FOISA, she notes a number of factors which should be taken into account in carrying out the balancing exercise. These include:

(i) whether the information relates to the individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances)

(ii) the potential harm or distress that may be caused by the disclosure

(iii) whether the individual objected to the disclosure

(iv) the reasonable expectations of the individuals as to whether the information should be disclosed.

54. NHS Lothian acknowledged that ASAP-NHS has a legitimate interest in the information, but it maintained that the data subjects' right to privacy is much more important. NHS Lothian explained that its policy is to ensure that confidentiality is maintained and that "de-identified" data is used wherever possible. NHS Lothian explained that it releases information about staff roles (when possible and where included) rather than names because it is the role that is material to the case.

55. The fact that a member of staff was involved in an adverse event does not mean that he or she was responsible for that event or that his or her conduct was in any way improper. There may be situations where that is the case, but such situations will be dealt with through already existing policies regarding employee conduct or malpractice. The Commissioner considers that the use of such policies is more proportionate in order to achieve this legitimate interest than by disclosing the personal data of the relevant officials.

56. Overall, the Commissioner considers that it is not proportionate for ASAP-NHS to have access to the personal data of the medical staff who were involved in the incidents which led to the adverse event, given that it would lead to their identification in circumstances where they would certainly not expect to be named.

57. However, the Commissioner disagrees with the approach taken by NHS Lothian regarding the names of reviewers. In Decision 036/2012 Rab Wilson and Ayrshire and Arran NHS Board[7] the Commissioner required the authority to disclose the names of senior members of staff who were involved in conducting reviews. In that decision, the Commissioner found that:

"…it would be unreasonable for senior members of staff not to expect that the fact they have been asked to be involved in a team carrying out a review or have been tasked with carrying out an action under an action plan would be disclosed. The fact of their involvement also very much relates to their public life and not to their private life".

58. The Commissioner notes that NHS Lothian's Adverse Event Management Policy[8] states that the review team allocated to a SAER must:

"be sufficiently removed from the event, have no conflict of interest (real or perceived) to be able to provide an objective view".

59. The Commissioner considers that this applies to the information in this case and she finds that disclosure of the names of senior members of staff involved in reviews would not cause unwarranted prejudice to their rights and freedoms or legitimate interests. Disclosure of the names of review staff would not be disproportionate, given that they had no direct involvement in the specific event they are reviewing.

60. The Commissioner notes that there are various instances of junior members of staff being involved in review teams or being allocated tasks in action plans. In these cases, the Commissioner is satisfied that the individuals would not reasonably expect their personal data to be disclosed. The Commissioner finds that disclosure would cause unwarranted prejudice to the rights and freedoms or legitimate interests of these data subjects. As such, no condition in Schedule 2 applies to this information and the information is exempt from disclosure under section 38(1)(b) of FOISA.

Would disclosure be fair and lawful?

61. Having reached these conclusions, the Commissioner must now go on to consider whether disclosure of the names of senior officials involved in reviews would be fair and lawful.

62. The Commissioner considers that disclosure would be fair, for the reasons already outlined in relation to condition 6, above.

63. NHS Lothian has not put forward any arguments as to why the information would be unlawful, except by implying that disclosure of the personal data would involve a breach of the DPA, which would in itself be unlawful.

64. Having found disclosure of the personal data of the senior officials to be both fair and lawful and in accordance with condition 6, and no arguments having been advanced as to why disclosure would otherwise be unlawful, the Commissioner concludes that disclosure would not breach the first data protection principle. As such, the information is not exempt from disclosure under section 38(1)(b) of FOISA.

Section 38(1)(d) - Deceased person's health record

65. During the investigation, the Commissioner noted that some of the patients who were the subject of the SAERs and action plans were now deceased. NHS Lothian was asked if it intended to rely on section 38(1)(d) of FOISA to withhold this information from ASAP-NHS. NHS Lothian confirmed that it was applying the exemption in section 38(1)(d) to information contained in 22 of the 50 SAERs.

66. By failing to notify ASAP-NHS that it was relying on section 38(1)(d) in relation to this information, NHS Lothian failed to comply with section 16(1) of FOISA when it issued its refusal notice.

67. Section 38(1)(d) exempts information from disclosure if it constitutes a deceased person's health record. This is an absolute exemption in that it is not subject to the public interest test set out in section 2(1)(b) of FOISA.

68. Section 38(5) of FOISA states that "health record" has the meaning assigned to it by section 1(1) of the Access to Health Records Act 1990 ("the 1990 Act"). The 1990 Act defines "health record" as a record which (a) consists of information relating to the physical or mental health of an individual who can be identified from that information, or from that and other information in the possession of the holder of the record and (b) has been made by or on behalf of a health professional in connection with the care of that individual.

69. NHS Lothian withheld, under section 38(1)(d), information that would be added to the deceased person's record in the event of a complaint and/or litigation. NHS Lothian submitted that this information would also be held within a database from which only "de-identified" information is made available beyond the clinical team without the express permission of the Caldicott Guardian. NHS Lothian argued that the Caldicott Guardian would only unseal the record to provide information to the relevant authorised persons or, under very strict research safe haven conditions, for the purpose of clinical research, evaluation and audit.

70. The Commissioner has reviewed the information being withheld under section 38(1)(d) of FOISA and she is satisfied that the information comes from a health record as defined in section 1(1) of the 1990 Act. Consequently, the Commissioner finds the information to be exempt from disclosure under section 38(1)(d) of FOISA. As indicated above, this exemption is absolute and therefore is not subject to the public interest test.

Information to be disclosed

71. As noted above, during the investigation NHS Lothian re-redacted the SAERs and action plans and provided copies to the Commissioner. These re-redacted reports disclose significantly more information about the adverse events than was previously disclosed and NHS Lothian has acknowledged that its original redactions were too extensive.

72. The Commissioner requires NHS Lothian to provide ASAP-NHS with copies of the re-redacted reports it provided to her during the investigation, after amending these reports so that the names of senior officials who were involved in carrying out the reviews into each adverse incident are also disclosed (given that she has found this information is not exempt in terms of section 38(1)(b) of FOISA).

Decision The Commissioner finds that NHS Lothian partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by ASAP-NHS. The Commissioner finds that NHS Lothian correctly withheld some information under section 38(1)(b) of FOISA, but was wrong to apply this exemption to other information. This was a breach of section 1(1) of FOISA. By failing to notify ASAP-NHS that it was withholding information under section 38(1)(d) of FOISA, NHS Lothian failed to comply with section 16(1) of FOISA. The Commissioner requires NHS Lothian to provide ASAP-NHS with the re-redacted versions of the SAERs and associated action plans described in the decision notice, with the inclusion of personal data which was wrongly withheld, by 14 August 2017.

Appeal

Should either ASAP-NHS or NHS Lothian wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If NHS Lothian fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that NHS Lothian has failed to comply. The Court has the right to inquire into the matter and may deal with NHS Lothian as if it had committed a contempt of court.

Margaret Keyse
Acting Scottish Information Commissioner

29 June 2017

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

…

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

…

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

…

(e) in subsection (1) of section 38 -

(i) paragraphs (a), (c) and (d); and

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

16 Refusal of request

(1) Subject to section 18, a Scottish public authority which, in relation to a request for information which it holds, to any extent claims that, by virtue of any provision of Part 2, the information is exempt information must, within the time allowed by or by virtue of section 10 for complying with the request, give the applicant a notice in writing (in this Act referred to as a "refusal notice") which-

(a) discloses that it holds the information;

(b) states that it so claims;

(c) specifies the exemption in question; and

(d) states (if not otherwise apparent) why the exemption applies.

…

38 Personal information

(1) Information is exempt information if it constitutes-

…

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

…

(d) a deceased person's health record.

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

…

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

…

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

"health record" has the meaning assigned to that term by section 1(1) of the Access to Health Records Act 1990 (c.23)

…

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

…

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

…

2 Sensitive personal data

In this Act "sensitive personal data" means personal data consisting of information as to-

…

(e) his physical or mental health or condition,

…

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

…

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

Schedule 3 - Conditions relevant for purposes of the first principle: processing of sensitive personal data

1. The data subject has given his explicit consent to the processing of the personal data.

…

Access to Health Records Act 1990

1 "Health record" and related expressions

(1) In this Act "health record" means a record which -

(a) consists of information relating to the physical or mental health of an individual who can be identified from that information, or from that and other information in the possession of the holder of the record; and

(b) has been made by or on behalf of a health professional in connection with the care of that individual;

…

---