Home Decisions

Decision 153/2021

Decision 153/2021: Data Protection Impact Assessment: test, trace and isolate scheme

Public authority: Scottish Ministers
Case Ref: 202001305

Summary

The Ministers were asked for the Data Protection Impact Assessment (DPIA) carried out in relation to the test, trace and isolate scheme. In their review response, the Ministers told the Applicant they did not hold the information.

The Commissioner investigated and found that the Ministers did hold information falling in scope of the request (a "rapid DPIA"). He required the Ministers to provide a new review outcome to the Applicant.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (4) (General entitlement); 15 (Duty to provide advice and assistance); 17 (Notice that information is not held); 21(4)(b) (Review by Scottish public authority)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 2 June 2020, the Applicant made a request for information to the Scottish Ministers (the Ministers). The information requested was: the full content of the Data Protection Impact Assessment carried out in pursuance of the Scottish Government's obligations [whether under Article 35 of Regulation (EU) 2016/679 ("the General Data Protection Regulation") or not] concerning the Scottish Government's "test, trace and isolate" scheme introduced in order to help detect, trace and monitor the spread of Coronavirus."

2. The Ministers responded on 1 July 2020. They stated that the information was due to be published within 12 weeks of the response date and, therefore, was exempt from disclosure under section 27(1) of FOISA (Information intended for future publication).

3. On 15 July 2020, the Applicant wrote to the Ministers requesting a review of their decision. He considered that the Ministers' refusal notice failed to comply with section 16 of FOISA (Refusal of request) by failing to address the public interest test in section 2(1)(b) of FOISA and in failing to give adequate reasons as to why the exemption in section 27(1) applied.

4. The Ministers notified the Applicant of the outcome of their review on 30 September 2020. They apologised for the failure to respond to the request for review within the statutory timescales. The Ministers withdrew their reliance on section 27(1) but notified the Applicant, in line with section 17(1) of FOISA, that they did not hold the information when they received his request. The Ministers explained that there was no single DPIA covering the Scottish Government's "test, trace and isolate" scheme. Instead, there were a number of DPIAs that were being drafted at the time of the request. The Ministers explained that each DPIA represented a specific aspect of the Test and Protect Programme and that the Scottish Government had commissioned NHS National Services Scotland to develop some of these. The Ministers stated that, because these DPIAs had not been completed and still required to be reviewed and signed-off, they had concluded a notice under section 17(1) was appropriate.

5. The Ministers explained that the DPIAs completed to date had been published[1]. They also provided the Applicant with a link to the DPIA published for the protect.scot proximity app, part of the Test and Protect programme[2].

6. On 1 November 2020, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of the Ministers' review because he considered that, if the request was properly read, it would have included any draft of the DPIA. Given that the Ministers had confirmed that a draft DPIA(s) was/were held, section 17(1) of FOISA, in his view, could not apply.

Investigation

7. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

8. On 25 November 2020, the Ministers were notified in writing that the Applicant had made a valid application. The case was then allocated to an investigating officer.

9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. On 18 January 2021, the Ministers were invited to comment on this application and to answer specific questions. These related to the searches undertaken by the Ministers to determine what recorded information they held falling within scope of the Applicant's request, including whether they considered a draft DPIA fell within scope of the request. The Ministers responded on 2 February 2021.

Commissioner's analysis and findings

10. In coming to a decision on this matter, the Commissioner considered all of the relevant submissions, or parts of submissions, made to him by both the Applicant and the Ministers. He is satisfied that no matter of relevance has been overlooked.

Section 17(1) of FOISA

11. Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority which holds it is entitled to be given that information by the authority, subject to qualifications which, by virtue of section 1(6) of FOISA, allow Scottish public authorities to withhold information or charge a fee for it. (The qualifications contained in section 1(6) are not applicable in this case.)

12. The information to be given is that held by the authority at the time the request is received, as defined in section 1(4). If no such information is held by the authority, section 17(1) of FOISA requires it to give the applicant a notice in writing to that effect.

The Ministers' submissions

Searches

13. The Ministers explained that they had conducted searches of their corporate systems and had not identified any DPIAs held that fell within scope of the request. The searches conducted encompassed global searches of the Scottish Government's electronic Records Management System (eRDM), and searches of both the Digital Health and Care Information Governance Mailbox and Digital Health Covid Hub Mailbox.

14. Information that was identified as a result of these searches was considered, but found to be out of scope of the request.

15. The Ministers confirmed that four relevant officials conducted searches of their personal folders/inboxes and had identified no information falling in scope of the request.

Information held about the DPIA

16. The Ministers explained that a number of a number of public bodies were involved in developing several DPIAs in relation to the Test and Protect Programme. The programme was being led by the Scottish Government, and the other public bodies involved included NHS National Services Scotland, Public Health Scotland, and NHS Health Boards. At the date of request, the Ministers stated that they had not received any DPIAs from any of the partner organisations engaged in the programme.

17. The Ministers went on to explain that, at the time of the request, rapid Data Protection Impact Assessments (rapid DPIAs) were being used. They explained that these were emergency instruments created at the start of the pandemic to ensure due diligence in times of crisis, pending DPIAs being fully undertaken at a later stage. The appropriateness of using this instrument, as an exceptional measure during exceptional circumstances, was discussed with the ICO at the time.

18. The Ministers provided a weblink to these rapid DPIAs[3].

19. The Ministers explained that the one rapid DPIA held was in draft form and was not fully completed. The Ministers considered that a rapid DPIA is not a substitute for a DPIA, and it would not meet the legal requirements of a DPIA. The Ministers submitted that a rapid DPIA is a vehicle to start urgent COVID work until a "full" DPIA is documented.

Does the rapid DPIA fall within scope of request?

20. The Ministers noted that the request as framed was for "the full content of the Data Protection Impact Assessment carried out…." In their view, this meant the full, final version of a DPIA.

21. The Ministers noted that, in their review response, they had informed the Applicant that work on the DPIA was in progress but had not been completed. The Ministers went on to explain that a number of DPIAs were being drafted at the time of the request, and that partners on the Test and Protect programme were developing some of the DPIAs. Searches did not reveal any draft DPIAs.

Section 15: Duty to advise and assist

22. The Ministers acknowledged that their review response could have been more helpful and could have provided an explanation of the rapid DPIA process that was in place, with a description of the information held which may have been of interest to the Applicant. The Ministers stated that they could also have signposted the Applicant to the other public bodies involved in the programme, who might have been able to provide him with the information he was looking for, to fulfil their duties under section 15 of FOISA. They apologised for these omissions.

The Commissioner's findings

23. The standard of proof to determine whether a Scottish public authority holds information is the civil standard of the balance of probabilities. In determining where the balance lies, the Commissioner considers the scope, quality, thoroughness and results of the searches carried out by the public authority. He also considers, where appropriate, any reason offered by the public authority to explain why it does not hold the information. Ultimately, the Commissioner's role is to determine whether relevant information is actually held by the public authority (or was, at the time it received the request).

24. In reaching a decision in this case, the Commissioner has been mindful of the fact that a requester cannot usually be expected to know how a public authority classifies its records.

25. The Commissioner considered guidance issued by the (UK) Information Commissioner (ICO) on preparing a rapid DPIA. This guidance suggests that DPIAs should be flexible, as appropriate to the context, and formulated a rapid DPIA for these circumstances. The guidance also states that the DPIA should be regularly reviewed and updated.

26. Having considered the copy of the rapid DPIA provided by the Ministers during the investigation, the Commissioner concludes that the rapid DPIA would meet these requirements - it is simply a document which demonstrates the Ministers' compliance with the accountability principle under the UK GDPR/DPA.

27. Having considered the terms of the Applicant's request and the function of the rapid DPIA, the Commissioner is satisfied that it is reasonable to interpret the Applicant's request as encompassing the rapid DPIA held by the Ministers at the date of the request.

28. The rapid DPIA, while marked "draft", is a detailed document and is the version of the DPIA in place at the time of the request. The Commissioner is therefore satisfied that the rapid DPIA falls within the scope of the request. (This does not mean that a request which does not specifically request drafts will automatically encompass the drafts. For example, if a requester requests a copy of a letter an authority has sent to a third party, the request will not encompass drafts of the letter unless if it specifically says so.)

29. In the circumstances, the Commissioner finds that the Ministers were not entitled to notify the Applicant, in line with section 17 of FOISA, that it did not hold any recorded information falling within scope of his request.

30. The Commissioner requires the Ministers, to issue a new review response (other than in terms of section 17(1) of FOISA) to the Applicant.

Section 15 - advice and assistance

31. As detailed above, the Ministers acknowledge that they could have provided further advice and assistance to the Applicant when responding to the request.

32. The Commissioner has reached the same view as that the Ministers that they failed in their duty to provide advice and assistance in line with section 15(1) of FOISA.

Decision

The Commissioner finds that the Scottish Ministers (the Ministers) failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant. The Ministers:

  • breached section 1(1) of FOISA by notifying the Applicant they did not hold any information falling within the scope of his request; and
  • failed to provide reasonable advice and assistance to the Applicant in terms of section 15(1) of FOISA.

The Commissioner requires the Ministers to carry out a new review. The review must, in line with section 21(4)(b) of FOISA, substitute a different decision for the decision issued on 30 August 2020.

The Ministers must do this by 19 November 2021.

Appeal

Should either the Applicant or the Ministers wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If the Ministers fail to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Ministers have failed to comply. The Court has the right to inquire into the matter and may deal with the Ministers as if they had committed a contempt of court.

Margaret Keyse
Head of Enforcement
5 October 2021

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

15 Duty to provide advice and assistance

(1) A Scottish public authority must, so far as it is reasonable to expect it to do so, provide advice and assistance to a person who proposes to make, or has made, a request for information to it.

(2) A Scottish public authority which, in relation to the provision of advice or assistance in any case, conforms with the code of practice issued under section 60 is, as respects that case, to be taken to comply with the duty imposed by subsection (1).

17 Notice that information is not held

(1) Where-

(a) a Scottish public authority receives a request which would require it either-

(i) to comply with section 1(1); or

(ii) to determine any question arising by virtue of paragraph (a) or (b) of section 2(1),

if it held the information to which the request relates; but

(b) the authority does not hold that information,

it must, within the time allowed by or by virtue of section 10 for complying with the request, give the applicant notice in writing that it does not hold it.

21 Review by Scottish public authority

(4) The authority may, as respects the request for information to which the requirement relates-

(b) substitute for any such decision a different decision; or