Decision 088/2005 Mr D and NHS Grampian

Request for information relating to the applicant – information withheld under section 38(1)(a) – failure to issue a refusal notice under section 16(1) of FOISA

Request for information held relating to the applicant.

Applicant: Mr D Authority: NHS Grampian
Case No: 200501337 and 200501350
Decision Date: 21 December 2005

Kevin Dunion
Scottish Information Commissioner


Facts

Mr D submitted two separate information requests to NHS Grampian for information relating to the handling of his case. NHS Grampian applied the exemption under section 38(1)(a) of the Freedom of Information (Scotland) Act 2002 (FOISA) to the information, on the grounds that it constituted personal data of which he was the subject. NHS Grampian failed, however, to make clear to Mr D that this exemption had been applied.

Mr D lodged an application with the Commissioner on the grounds that he was dissatisfied with the decision to process his request under the Data Protection Act 1998.

Decision

The Commissioner found that NHS Grampian acted correctly in processing Mr D’s information request under the Data Protection Act 1998 (DPA), as opposed to FOISA, and therefore in applying the exemption under section 38(1)(a) of FOISA.

However, the Commissioner also found that NHS Grampian failed in its duties under section 16(1) of FOISA, by failing to issue a formal refusal notice in relation to the case.

Appeal

Should either NHS Grampian or Mr D wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days of receipt of this notice.

Background

1. Mr D submitted two information requests to two separate Consultant Psychiatrists employed by NHS Grampian, the first on 9 February 2005 and the second on 6 March 2005. The letters which contained these requests were part of a series of ongoing correspondence between Mr D and NHS Grampian relating to his involuntary detention and treatment in 2004 under the Mental Health (Scotland) Act 1984.

2. Mr D indicated in his correspondence that he sought copies of all communications held by NHS Grampian relating to his detention. In both pieces of correspondence Mr D explicitly referred to the Freedom of Information (Scotland) Act 2002 (FOISA) and indicated that he wished access to the information under that legislation.

3. NHS Grampian’s response to Mr D’s first request, dated 17 February, informed Mr D that the information sought was personal information, and was, therefore, not covered by FOISA, but was accessible under the Data Protection Act 1998 (DPA). The letter also noted that Mr D had separately made a subject access request for the information under the DPA. A brief response to Mr D’s second request was sent on 9 March. This referred Mr D to the provision of the relevant information under the DPA.

4. On 11 March Mr D wrote to the Complaints Manager within NHS Grampian. In this correspondence Mr D referred directly to these two requests for information, and indicated that he was dissatisfied with the recipient’s refusal to provide him with information under FOISA. Mr D also made reference to a number of other separate information requests and complaints, and requested that his case be reviewed in full.

5. Mr D initially contacted my Office in relation to this case with a view to making an application on 31 March 2005. This correspondence sought my intervention in relation to a number of information requests submitted by Mr D to various public authorities, of which NHS Grampian was one. However, this initial submission was received prior to the expiry of the 20 working day period provided by FOISA for NHS Grampian to respond to Mr D’s request for review. Mr D subsequently submitted additional information in support of his various cases. One of these submissions, received on 6 May 2005, contained information which fulfilled the criteria required by section 47(2) of FOISA for a valid application in relation to his case against NHS Grampian.

The Investigation

6. Mr D’s appeal was validated by establishing that he had made a valid request for information under FOISA, and had submitted an appeal only after asking the public authority to review its response to his request.

7. In his application, Mr D stated that he would be unhappy if his information request (in relation to this and other cases) were processed under the Data Protection Act 1998 (the DPA) as opposed to FOISA. This was for the following reasons:

• Mr D believed the process of accessing information under the DPA to be awkward and prohibitively expensive;
• He argued that the information requested was essentially about others, as opposed to being about himself, and suggested that he would feature in the information merely as a named person harmed by their actions.
• Mr D also argued that any information relating to him would be rumour, as opposed to fact, and suggested that rumour could not be considered to be personal data.

8. My investigating officer contacted NHS Grampian for its submissions in relation to these cases on 16 June 2005.

9. Responses to these communications were received from NHS Grampian in early July 2005.

The Commissioner’s Analysis and Findings

10. Mr D’s originally submitted two separate information requests to two individual employees of NHS Grampian. However, given that these requests were essentially seeking access to the same information - all recorded information held by NHS Grampian in relation to his case – it is appropriate to deal with these two applications within a single decision notice.

11. The key issue to be addressed in relation to these two appeals is the nature of the information sought by Mr D. In its submissions to this Office, NHS Grampian has stated that the information requested by Mr D falls within the category of an absolute exemption from disclosure under Section 38(1)(a) of FOISA, in that it constitutes personal data of which he is the subject. NHS Grampian also states that, following receipt of his information requests, a copy of his health record file was sent under the DPA.

12. Mr D has, however, questioned the view that the requested information constitutes personal data in his submissions to this Office (see paragraph 8 above). In addition, Mr D has indicated in his submissions that it is his belief that additional relevant information is held which has not been supplied.

Is the requested information personal data?

13. Mr D’s two requests contained an explicit reference to FOISA, and requested that the information be provided under that legislation. However, the fact that an information request refers to a specific piece of legislation will not necessarily mean that that request should be processed in accordance with that legislation. On receipt of information requests, public authorities should first consider the nature of the information requested, and subsequently process the request in accordance with whichever legislation is appropriate. If the information sought by an applicant falls under the definition of ‘personal information’ contained within the DPA, then that information request should be processed in accordance with that Act, regardless of whether the requestor has made reference to it or not.

14. Information which is appropriate for release under FOISA may be disclosed to any other individual that requests it. It will generally be inappropriate; therefore, to make personal data of the type requested by Mr D publicly available under FOISA, as to release such information without the data subject’s explicit consent would be a clear breach of that individual’s privacy rights. The DPA, however, provides individuals with an exclusive right of access to personal data which is held about them.

15. ‘Personal data’ is defined in section 1(1) of the DPA as:

‘data which relates to a living individual who can be identified:
a) from those data, or
b) from those data and from other information which is in the possession of or is likely to come into the possession of the data controller…’

16. The (UK) Court of Appeal ruling in Durant v Financial Services Authority [2003] EWCA Civ 1746 (the Durant ruling) provides further guidance when considering the definition of personal data. In this decision, the Court held that, if information is to be viewed as personal data, that information must be ‘biographical in a significant sense’. It therefore has to go beyond simply recording an individual’s involvement in a matter or event that has no personal connotations, and should feature the individual as the focus of the information. The Court of Appeal summarised personal data as information which ‘affects [a person’s] privacy, whether in his personal or family life, business or professional capacity’.

17. It is clear to me that the material sought by Mr D falls within the definition of personal data provided by the DPA and the Durant ruling. Mr D’s original requests to NHS Grampian were intended to seek access to information relating to both the handling of his case by NHS Grampian, and the treatment he received while in the care of the authority. As such, this information can clearly be considered to be personal data.

18. In his submissions to this Office, Mr D has stated that he was unhappy with NHS Grampian’s processing of his request under the DPA for a number of reasons. These are summarised at paragraph 7 above. During the course of this investigation, however, my staff have discussed these issues with Mr D, and have communicated to him the fact that requests for personal data should be processed under the DPA. In doing this, it was also made clear that an authority may choose to charge an appropriate fee under that legislation (although it would appear that NHS Grampian chose not to do so in relation to this case).

19. It was also communicated to Mr D that any information held relating to his personal life would likely fall within the scope of the DPA, regardless of whether that information contained inaccuracies, and that the DPA provided a route by which he could access this data and pursue the correction of any such inaccuracies. It should be noted that, following these communications, Mr D initiated correspondence with the Information Commissioner’s Office (ICO), which has responsibility for enforcing the DPA throughout the UK.

20. I therefore conclude that NHS Grampian acted correctly in processing Mr D’s requests under the DPA, as opposed to FOISA.

21. Finally, in his submissions to this Office, Mr D indicates that he believes that additional information is held which falls within the scope of his requests that was not provided by NHS Grampian under the DPA. Mr D explicitly refers to communications relating to a letter send by Depression Alliance Scotland to the Scottish Executive dated 22 January 2004 (the DAS letter) which he believes contributed to the decision to detain him, along with communications which he believes took place relating to his case between NHS Grampian, the Scottish Executive, Grampian Police and Moray Council.

22. Given my view, however, that any such information will constitute personal data and therefore will fall outwith the scope of FOISA, I am not empowered to investigate this matter further. Mr D may choose to make further contact with the ICO if he wishes to explore his options in relation to this issue further. It should be noted, however, that NHS Grampian has stressed in its submissions to my Office that it was not aware of the existence of the DAS letter at the time of Mr D’s original requests, and therefore states that it held no information relating to the letter (a copy of the letter has since been forwarded to NHS Grampian by Mr D).

NHS Grampian’s handling of the information request

23. I would also like to briefly comment on NHS Grampian’s handling of Mr D’s information requests.

24. As discussed above, both of Mr D’s original request contained direct references to FOISA. As a result, it was clear that Mr D intended to exercise his rights under FOISA when submitting his requests for information. Because of this, NHS Grampian should have proceeded by conducting an initial assessment of the requested information in order to establish whether FOISA was in fact the appropriate legislation under which the request should be processed. On reaching the conclusion that the requested information constituted personal data about Mr D, NHS Grampian should then have issued a formal refusal notice under section 16 of FOISA, stating that the information was exempt under section 38(1)(a), for the reason that it constituted personal data about the applicant. NHS Grampian should then also have provided details of the process by which the information would be made available under the DPA.

25. While Mr D would then have been entitled to request that NHS Grampian review its handling of the requests under FOISA, the scope of any such review would likely have been limited to a simple assessment of whether NHS Grampian acted correctly in applying the exemption under section 38(1)(a).

26. The failure to issue formal refusal notices under FOISA in relation to this case has undoubtedly contributed to a degree of uncertainty on the part of the applicant regarding both his rights under the access to information legislation, and the processes he should follow in order to exercise those rights. This has, in my view, had the effect of hindering the resolution of this matter.

27. In failing to issue Mr D with a formal refusal notice in relation to his information request, I therefore find that NHS Grampian failed in its duties under section 16(1) of FOISA. I note, however, that NHS Grampian has otherwise provided Mr D with a great deal of assistance in dealing with his application.

Decision

I find that the information requested by Mr D is exempt under section 38(1)(a) of the Freedom of Information (Scotland) Act 2002 (FOISA) and that, accordingly, NHS Grampian acted correctly in processing Mr D’s information requests under the Data Protection Act 1998, as opposed to FOISA.

I also find that NHS Grampian failed in its duties under section 16(1) of FOISA, by failing to issue a formal refusal notice in relation to this case. I do not require NHS Grampian to take any remedial action in relation to this case.

Kevin Dunion
Scottish Information Commissioner
21 December 2005

 

 

Link to PDF file of decision 088/2005 (62 kb)