Home Decisions

Decision 158/2024

Decision 158/2024: Communications about patient representatives

Authority:  Scottish Ministers
Case Ref:  202200450

Summary

The Applicant asked the Authority for written communications concerning patient representatives that occurred between named groups and specified dates.  The Authority responded to the Applicant but withheld some information because it was personal information.

The Commissioner investigated and found that the Authority had partially breached FOISA in responding to the request.  He found that the Authority had correctly withheld personal information but that it had handled the request poorly, and had wrongly withheld information that it later disclosed.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(a), (2)(e)(ii) (Effect of exemptions); 21(1) (Review by Scottish public authority); 38(1)(a), (b), (2A), (5) (definitions of “the data protection principles”, “data subject”, “personal data, “processing” and “the UK GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner)

United Kingdom General Data Protection Regulation (the UK GDPR) articles 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision.  The Appendix forms part of this decision.

Background

1. On 30 June 2021, the Applicant made a clarified request for information to the Authority.  This followed an original request made on 22 June 2021, and subsequent guidance from the Authority advising her to reduce the scope of the request.  The Applicant requested:

(i) All written communications by email, letters and notes regarding communication involving the Scottish Government’s National Advisory Committee on Chronic Pain (NACCP) members, officials and chair and the Clinical Priorities Unit over patient representatives between April 1 2021 to July 2 2021.

(ii) All written communications by email, letters and notes involving the Scottish Government’s National Advisory Committee on Chronic Pain members, officials and chair and the Health and Social Care Alliance and its appointees concerning NACCP patient representatives between April 1 2021 to July.

2. The Authority responded on 14 July 2021, and advised the Applicant that it was applying section 12 of FOISA (Excessive cost of compliance) to the request.  The Authority explained that the request was large in scope and involved a significant number of emails.  The Authority again advised the Applicant to reduce the scope of her request.

3. On 16 August 2021, the Applicant wrote to the Authority requesting a review of its decision.  The Applicant stated that she was dissatisfied with the decision because she did not accept that the cost of complying with the request would exceed £600.

4. The Authority notified the Applicant of the outcome of its review on 5 November 2021.  The Authority withdrew its reliance on section 12(1) of FOISA, and disclosed the information, with some information redacted under section 38(1)(b) of FOISA (personal information of a third party).  In its review outcome, the Authority advised the Applicant that it had previously answered her other questions regarding its handling of the request and, therefore, it did not address these in the review.

5. On 21 April 2022, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  The Applicant expressed her dissatisfaction with the Authority’s reliance on section 38(1)(b) of FOISA to withhold personal data.

Investigation

6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.

7. On 6 June 2022, the Authority was notified in writing that the Applicant had made a valid application.  The Authority was asked to send the Commissioner the information withheld from the Applicant.  The Authority provided the information and the case was allocated to an investigating officer.

8. On 23 June 2022, the Authority disclosed further information (personal information of a senior official) that was previously withheld under section 38(1)(b) of FOISA.  In this response, the Authority also informed the Applicant that it had changed its position on some of the other information that it had previously withheld under section 38(1)(b).  It told the Applicant that it was now withholding some of the information under section 38(1)(a) of FOISA, because it was the Applicant’s own personal data.  The Authority provided advice to the Applicant on how she could make a subject access request to obtain her personal information.

9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  The Authority was invited to comment on this application and to answer specific questions. These related to how the Authority identified information with scope of the request and its reasons for withholding information.  The Authority was also asked specific questions about its handling of the case.

Commissioner’s analysis and findings

10. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.

Information disclosed during the investigation

11. During the investigation, the Authority disclosed additional information to the Applicant.

12. Specifically, the Authority disclosed the name and initials of a senior official that had been redacted mistakenly (under section 38(1)(b) of FOISA) from correspondence disclosed in the Authority’s review outcome.  The Authority also disclosed information contained in attachments to emails (the emails themselves having previously been disclosed) which it had initially failed to identify as falling within the scope of the request.

13. In the absence of submissions to the contrary, the Commissioner must find that the above described information was not exempt from disclosure and that the failure to disclose it an earlier stage was a breach of Part 1 of FOISA.  

Section 38(1)(a) – Personal information (requester’s own personal data)

14. During the investigation, the Authority issued the Applicant with a revised review outcome, indicating that it was now withholding the Applicant’s own personal data (her name) under section 38(1)(a) of FOISA, as this information had wrongly been withheld under section 38(1)(b) of FOISA.  

15. Section 38(1)(a) of FOISA contains an absolute exemption in relation to personal data of which an applicant is the data subject.  The fact that it is an absolute exemption means that it is not subject to the public interest test set out in section 2(1) of FOISA.

16. This exemption exists under FOSIA because individuals have a separate right to make a request for their own personal data under the United Kingdom General Data Protection Regulation (the UK GDPR) (now – at the time of the request, under the GDPR).  This route is more appropriate for individuals accessing their personal data, as it ensures it is disclosed only to the individual.  Information disclosed under FOISA is considered to be disclosed into the public domain.  Section 38(1)(a) does not deny 
individuals a right to access information about themselves, but ensures that the right is exercised under the correct legislation (the UK GDPR, and previously the GDPR) and not under FOISA.

17. It is not for the Commissioner to comment on whether disclosures to the data subject under the GDPR or the UK GDPR have been made in accordance with the appropriate legislation.  That would be a matter for the (UK) Information Commissioner.

18. Personal data are defined in section 3(2) of the DPA 2018 which, read with section 3(3), incorporates the definition of personal data in Article 4(1) of the UK GDPR:

“…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

19. The definition of personal data is set out in full in Appendix 1.  

20. The Commissioner has carefully considered the information that the Authority is withholding under section 38(1)(a) of FOISA, and he is satisfied that it comprises the Applicant’s own personal data.  It is apparent that the Applicant could be identified from the information.  He considers, therefore, that the appropriate action is to consider the information under the exemption in section 38(1)(a) of FOISA.

21. In the circumstances, the Commissioner is satisfied that the information being withheld under section 38(1)(a) of FOISA is the Applicant’s own personal data, and he accepts that it has been correctly withheld under this exemption.  Given this, the Commissioner must find that the Authority wrongly withheld the Applicant’s own personal data under section 38(1)(b) of FOISA.  

22. The Commissioner must now consider whether the Authority correctly withheld the remaining information under section 38(1)(b) of FOISA.

Section 38(1)(b) - Personal information of a third party

23. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is “personal data” (as defined in section 3(2) of the DPA 2018) and if its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR.

24. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption.  This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

25. In order to apply this exemption, the Authority must show that the information being withheld is personal data for the purposes of the DPA 2018 and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Article 5(1) of the UK GDPR.

Is the information personal data?

26. The first question that the Commissioner must address is whether the withheld information is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable individual.  “Identifiable living individual" is defined in section 3(3) of the DPA 2018, and is available in Appendix 1. (This definition reflects the definition of personal data in Article 4(1) of the UK GDPR).

27. Information will "relate to" a person if it is about them, is linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.

28. The Authority explained that the information being withheld under section 38(1)(b) consists of the names and direct contact details of individuals.  It submitted that those individuals can be identified from the information and therefore it is personal data as defined by sections 3(2) of the DPA 2018.

29. The Commissioner is satisfied that the withheld information is personal data as it relates to identified or identifiable individuals.

Would disclosure contravene one of the data protection principles?

30. The Authority argued that disclosure would breach the first data protection principle in Article 5(1)(a) of the UK GDPR.  Article 5(1) states that personal data shall be processed “lawfully, fairly and in a transparent manner in relation to the data subject.”

31. "Processing" of personal data is defined in section 3(4) of the DPA 2018.  It includes (section 3(4)(d)) disclosure by transmission, dissemination or otherwise making available personal data.  The definition therefore covers disclosing information into the public domain in response to a FOISA request.

32. The Commissioner must consider whether disclosure of the personal data would be lawful.  In considering lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow the data to be disclosed.

33. The Authority told the Commissioner it had considered whether there was any lawful basis that would allow processing of the data.  In doing so, it took advice from the Commissioner’s briefing on the use of section 38(1)(b) of FOISA.  Having considered the guidance, the Authority said that it considered that condition (f) of Article 6 of UK GDPR was relevant.

34. The Commissioner agrees with the Authority and he considers that condition (f) in Article 6(1) is the only condition which could potentially apply in the circumstances of this case.

Article 6(1)(f) of the UK GDPR - legitimate interests

35. Condition (f) states that processing shall be lawful if it -

“…is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data...”

36. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

37. The three tests which must be met before Article 6(1)(f) can be relied on are as follows (see paragraph 18 of South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 - although this case was decided before the GDPR (and the UK GDPR) came into effect, the relevant tests are almost identical)

i) does the Applicant have a legitimate interest in the personal data?

ii) if so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

iii) even if the processing would be necessary to achieve the legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects which require protection of personal data (in particular where the data subject is a child)?

Does the Applicant have a legitimate interest in obtaining the personal data?

38. The Authority submitted that it was not aware of any legitimate interest the Applicant had in the names and direct contact details of officials or members of third party organisations, and that it did not consider identifying the individuals would aid in the understanding of the information.

39. The Authority argued that, even if the Applicant did have a legitimate interest in obtaining the withheld information, it did not believe that would outweigh the interest in protecting the privacy of the individuals whose names and email addresses had been withheld.

40. The Applicant submitted that the importance of the subject matter of the request should be a determining factor.  She argued that those officials from the Authority and members of third-party organisations involved in the exchanges she requested, were responsible for work on chronic pain which affected around 800,000 patients, and therefore knowing who they were afforded scrutiny of their competence and integrity.

41. The Applicant submitted that she had no personal interest in the names of officials and did not contact officials by name unless they contacted her personally.  She said that her contact with the Authority was directed through elected representatives or senior officials who have overall responsibility.  However, she argued that she sought the names of individuals in her request because the “lack of accountability flourishes under anonymity.”  The Applicant argued that the naming of officials indicated the legitimacy of a project, and she raised her concern that there was currently no accountability in relation to health officials.

42. The Applicant submitted that her legitimate interest was the public interest, not a personal interest in individuals.  She required the personal information because she wanted people to be named in an honest way under the Authority’s promises to be open and transparent.  She argued that if such ordinary openness was not possible under FOISA, then FOI was devalued.  She submitted that people who treasured it and campaigned for it wanted to see FOI standing visibly well clear of the Authority’s influence.

43. The Commissioner has carefully considered the submissions from both parties.  He is satisfied that the Applicant, and indeed the wider public, has a legitimate interest in seeking the names of those working in chronic pain, and that disclosure of this personal data would aid transparency and accountability within the Authority.  

Is disclosure of the personal data necessary?

44. Having satisfied himself that the Applicant has a legitimate interest, the Commissioner must consider whether disclosure of the withheld information, the personal data, is necessary to achieve the legitimate interest in the information.  “Necessary” means “reasonably” rather than “absolutely” or “strictly” necessary.  When considering whether disclosure would be necessary, public authorities must consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the Applicant’s legitimate interests could reasonably be met by means which interfered less with the privacy of the data subject(s).

45. In her application, the Applicant submitted that it was difficult to understand the disclosed information (email correspondence) without knowing who the correspondence was between.  She argued that concealing names and disclosing only the domain names of email addresses (i.e. [redacted]@gov.scot) was secretive and could relate to any employee of the Authority.  She argued that there was no attempt to meaningfully indicate who was involved in the correspondence.

46. The Authority explained to the Commissioner that the individuals whose information had been withheld have a junior role (within the Authority or third-party organisations); roles which do not have a public profile.

47. The Commissioner acknowledges the Applicant’s argument that the individuals are tasked with carrying out important functions; however, as junior staff members they are not ultimately responsible for those functions (as the Applicant herself recognised in her submissions).

48. The Applicant has expressed wider concerns about accountability and transparency of the Authority, however, the Commissioner must consider the facts of this case and the legitimate interest in obtaining the names of junior individuals involved in the subject of the request.

49. It is the Commissioner’s view that the legitimate interests of the Applicant (and the wider public) in ensuring the actions of the Authority and, in particular, the Clinical Priorities Unit are transparent and accountable, lies with senior officials.  He is not satisfied that it is necessary to disclose the names of junior officials involved in the written correspondence to achieve that legitimate interest.

50. The Commissioner therefore finds that, although the Applicant has a legitimate interest in the personal data, disclosure is not necessary to achieve that legitimate interest.

51. In the absence of a condition in Article 6 of the UK GDPR which would allow the names of the junior officials to be disclosed lawfully, the Commissioner finds that disclosure would breach Article 5 of the UK GDPR.

Fairness and transparency

52. Given that the Commissioner has concluded that the processing of the personal data, would be unlawful, he is not required to go on to consider whether disclosure of such personal data would otherwise be fair and transparent in relation to the data subject.

53. For the reasons set out above, the Commissioner is satisfied that the Authority was entitled to withhold the personal information under section 38(1)(b) of FOISA.

Adequacy of searches

54. During the investigation, and following further disclosures by the Authority, the Applicant expressed her dissatisfaction that some of the information, attachments to emails in particular, had not been disclosed.

55. When questioned, the Authority described the searches it carried out to identify information falling within scope of the request, which asked for information concerning patient representatives.  It explained that it used the terms “Patient Reference Group” (PRG) and “PRG” in the searches of its electronic records management system (eRDM) and that any communication received from a patient representative would be held and filed in the context of the PRG, collectively.  The Authority submitted that, at 
the stage of its review, it had identified that carrying out the searches in this way had enabled it to ensure the cost of responding was within the cost limitation set out in FOISA.

56. The Commissioner shares the Applicant’s concerns that the Authority did not disclose a complete set of information in responding to her request or requirement for review.  He notes that further information was disclosed to the Applicant during the investigation on two separate occasions.

57. The Commissioner can see no good reason why the information that has now been located (and disclosed) was not capable of being identified in either the initial response or the review outcome.  On balance, he accepts that, by the end of the investigation, the searches carried out by the Authority were adequate, but he is not satisfied that the original searches were sufficiently thorough or focused to identify relevant information.  

58. The Commissioner would advise the Authority to ensure that it carries out thorough searches to determine what information falls within the scope of a request made to it under FOISA.  Failure to do so destroys trust in the Authority, undermines FOI law and erodes confidence of the public in its utility.

Decision

The Commissioner finds that the Authority partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.  

The Commissioner finds that the Authority was entitled to withhold some personal data under section 38(1)(a) and (b) of FOISA.

However, he finds that the Authority failed to comply with Part 1 of FOISA in responding to the request by:

  • failing to identify all information within scope of the request
  • wrongly withholding the names of senior officials under section 38(1)(b) of FOISA
  • wrongly withholding the Applicant’s own personal data under section 38(1)(b) of FOISA

Given that the Authority has since identified all of the information within scope of the request and disclosed it, other than the personal information which it is entitled to withhold, the Commissioner does not require the Authority to take any specific action in respect of these failures, in responding to the Applicant’s application.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such 
appeal must be made within 42 days after the date of intimation of this decision.

Euan McCulloch
Head of Enforcement

31 July 2024


Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that –

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption –

(e) in subsection (1) of section 38 –

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

21 Review by Scottish public authority

(1) Subject to subsection (2), a Scottish public authority receiving a requirement for review must (unless that requirement is withdrawn or is as mentioned in subsection (8)) comply promptly; and in any event by not later than the twentieth working day after receipt by it of the requirement.

38 Personal information

(1) Information is exempt information if it constitutes-

(a) personal data of which the applicant is the data subject;

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

    …

(5) In this section-

"the data protection principles" means the principles set out in –

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

which relates to an identifiable person or household;

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of 
information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public 
authorities) were omitted.

47 Application for decision by Commissioner

(1) A person who is dissatisfied with -

(a) a notice under section 21(5) or (9); or

(b) the failure of a Scottish public authority to which a requirement for review was made to give such a notice.

may make application to the Commissioner for a decision whether, in any respect specified in that application, the request for information to which the requirement relates has been dealt with in accordance with Part 1 of this Act.

(2) An application under subsection (1) must -

(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used for subsequent reference (as, for example, a recording made on audio or video tape);

(b) state the name of the applicant and an address for correspondence; and

(c) specify –

(i) the request for information to which the requirement for review relates;

(ii) the matter which was specified under sub-paragraph (ii) of section 20(3)(c);

and

(iii) the matter which gives rise to the dissatisfaction mentioned in subsection (1).

 

UK General Data Protection Regulation

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

    a. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)

    …

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

    …

    f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Data Protection Act 2018

3 Terms relating to the processing of personal data

    …

    (2) “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

    (3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to –

        (a) an identifier such as a name, an identification number, location data or an online identifier, or

        (b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

    (4) “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as –

        …

        (d) disclosure by transmission, dissemination or otherwise making available,

        …

(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

(14) In Parts 5 to 7, except where otherwise provided –

    (a) references to the UK GDPR are to the UK GDPR read with Part 2;

    …

(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;

(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.