Decisions Round-up: 11 to 15 February 2019

 As regular readers will know, last May saw the repeal of the Data Protection Act 1998 and the introduction of the General Data Protection Regulation and the Data Protection Act 2018 (DPA 2018).

Although the changes came into force a while ago, transitional provisions in the DPA 2018 meant that we still had to make decisions under the "old law" if the authority had responded to the request before 25 May 2018.

This week sees the publication of the first of our decisions under the "new law."

Learning points:

Our first decisions under the new data protection rules: same destination, different route

The decisions look at:

  • the new rules for determining whether personal data can be disclosed under the FOI Act (Decision 012/2019) or the Environmental Information Regulations (Decision 016/2019)
  • confirming or denying whether personal data is held under the new rules (Decision 013/2019)

What we can see from the decisions is that the destination is the same - but we need to follow a different route to get there.

Remember we've got guidance on when personal data can - and can't - be disclosed under the FOI Act and the Environmental Information Regulations. We'll be updating this over the next couple of weeks to include decisions under the new rules.

Decisions issued:

  • Decision 012/2019 Mr B and Dumfries and Galloway Health Board
    Mr B asked for the number of psychologists who had undertaken data protection training. The Board refused to disclose the numbers, on the basis that they were personal data and exempt from disclosure. Mr B didn't think the numbers could be personal data. However, given the small numbers involved, we were satisfied individuals could be identified and that the numbers were personal data. We were also satisfied that disclosure would be unlawful, meaning that the information was exempt under section 38 of the FOI Act.
  • Decision 013/2019 Mr D and Police Scotland
    Police Scotland were asked if they had investigated whether a named individual had been involved in specified deaths. Police Scotland refused to confirm or deny whether they held any information about this. We agreed this was the correct approach. If held, disclosure would breach the DPA 2018. Given that Police Scotland were required to comply with the DPA 2018 and given the negative effect confirming whether the personal data existed could have on future criminal investigations, it was in the public interest not to confirm whether the information existed.
  • Decision 014/2019 Mr D and Greater Glasgow and Clyde Health Board
    Mr D was unhappy at how long it had taken for him to be treated as an outpatient and wanted to see whether people were treated differently depending on their postcode. He therefore asked the Board for the postcodes of the patients who had attended the clinic at the same time as him. The Board disclosed the postcodes to four digits, but refused to disclose the full postcodes on the basis that individuals could be identified from their postcodes in conjunction with other information known to Mr D. We agreed. We also agreed that disclosure of the postcodes would be unlawful.
  • Decision 015/2019 Colin Kerr and Dumfries and Galloway Health Board
    In this decision, we found that the Board failed to respond to Mr Kerr's request for review within the timescales set down by the FOI Act.
  • Decision 016/2019 Mr E and Glasgow City Council
    Mr E asked the Council about its contact with the owners of a building. We agreed that the correspondence was the owners' personal data and that it would be unlawful to disclose it. This meant that it could not be disclosed under the Environmental Information Regulations.

Back to Top