Home Decisions

Decision 190/2021

Decision 190/2021: Covid vaccine take up, and death and survival rates, at Thorney Croft Care Home

Public authority: Dumfries and Galloway Health Board
Case Ref: 202100692

Summary

NHS Dumfries and Galloway was asked about the rate of take up of the Covid-19 vaccination, in Thorney Croft Care Home, along with the number of individuals who had survived and those who had died, over a specific time scale. NHS Dumfries and Galloway disclosed some information, but withheld the rest on the basis it considered it to be personal data and exempt from disclosure.

Following an investigation, the Commissioner concluded that the remaining information was not personal data. He required NHS Dumfries and Galloway to disclose that information to the Applicant.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2A)(a), (5) (definitions of "the data protection principles", "data subject", "personal data", "processing" and "the UK GDPR) and (5A) (Personal information)

United Kingdom General Data Protection Regulation (the UK GDPR) articles 5(1)(a) and (f) (Principles relating to the processing of personal data)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10) and (14) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 13 April 2021, the Applicant made a request for information to Dumfries and Galloway Health Board (NHS Dumfries and Galloway). The information request contained five questions, only one of which (question 3) is covered by this Decision Notice. Question 3 read as follows:

From BBC Report "Dumfries and Galloway Health and Social Care Partnership said more than 90 staff and residents had tested positive at the Thorney Croft site". Can you please inform me, to date i) how many residents in that home have died after taking the vaccine; ii) how many survived; iii) how many residents were not given the vaccine; and iv) how many non-vaccinated residents have survived.

2. NHS Dumfries and Galloway responded on 20 April 2021. In response to question 3 of the Applicant's request, NHS Dumfries and Galloway relied on section 18(1) of FOISA to neither confirm nor deny whether relevant recorded information existed or was held. NHS Dumfries and Galloway stated that if the information existed and was held it would be exempt from disclosure in line with sections 38(1)(b) and 38(1)(d) of FOISA.

3. On the same day, the Applicant wrote to NHS Dumfries and Galloway, requesting a review of its decision, seeking an explanation as to why it would not be in the public interest to confirm or deny whether relevant recorded information was held. The Applicant commented that, given that this was an ongoing emergency and an "experimental vaccine" was being used, he believed his request was extremely important to the public interest. The Applicant also sought an explanation as to how raw numbers (with no names or any other form of identification) would breach data protection and/or identify anyone. He made it clear that he never asked to be able to identify anyone and overall did not accept NHS Dumfries and Galloway's arguments.

4. NHS Dumfries and Galloway notified the Applicant of the outcome of its review on 17 May 2021. In its response, NHS Dumfries and Galloway informed the Applicant of the total number of deaths of residents at Thorney Croft Care Home. It also informed him of the number of residents who survived. NHS Dumfries and Galloway refused to break this information down to the level requested by the Applicant, as to whether the residents had received a COVID vaccination or not. NHS Dumfries and Galloway considered that information to be personal data and continued to rely on the exemptions in sections 38(1)(b) and 38(1)(d) of FOISA for withholding it as it considered disclosure would breach data protection legislation.

5. On 1 June 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of NHS Dumfries and Galloway's review because he did not believe that provision of the raw numbers - with no personal details requested - would breach data protection legislation or pose any privacy concerns. The Applicant submitted that providing him with the raw numbers told him nothing about any individual.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

7. On 3 June 2021, NHS Dumfries and Galloway was notified in writing that the Applicant had made a valid application. The case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. NHS Dumfries and Galloway was invited to comment on this application, provide the withheld information and answer specific questions. These questions related to why it considered the withheld information to be personal data and why it considered the claimed exemptions to apply.

9. During the investigation, NHS Dumfries and Galloway indicated that, on reflection, it had been incorrect to apply the exemption in section 38(1)(b) of FOISA to the number of residents who were not vaccinated. Whilst it considered that it was within its rights to apply the exemption in section 38(1)(b) to information as to the number of residents who were not vaccinated and survived, NHS Dumfries and Galloway considered it would be possible for it to confirm to the Applicant that the relevant number was less than five. As a consequence, NHS Dumfries and Galloway issued a revised response to the Applicant's requirement for review on 7 September 2021.

10. Within its revised review response, NHS Dumfries and Galloway also provided the Applicant with information which would address, in full, parts (i) and (ii) of question 3 in his request.

11. Having now disclosed information withheld from the Applicant in dealing with his request and requirement for review, and not offering any reasons for withholding it earlier, the Commissioner must find that NHS Dumfries and Galloway was not entitled to rely on the exemptions in section 38(1)(b) and 38(1)(d) of FOISA for withholding this information.

12. Whilst the Applicant acknowledged that he had received this revised response from NHS Dumfries and Galloway, he remained dissatisfied with the responses provided, specifically, in relation to NHS Dumfries and Galloway's refusal to provide an actual figure in response to part iv) of question 3. The Applicant also raised other issues, but these did not fall within the scope of his request and therefore cannot be considered here.

Commissioner's analysis and findings

13. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and NHS Dumfries and Galloway. He is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) - Personal information

14. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR or (where relevant) in the DPA 2018. NHS Dumfries and Galloway continues to argue that this exemption applies to the actual figure required to respond to part iv) of question 3 of the request.

15. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

16. To rely on this exemption, NHS Dumfries and Galloway must show that the information withheld is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles found in Article 5(1) of the UK GDPR.

Is the withheld information personal data?

17. The first question the Commissioner must address is whether the actual number of residents who were not given the vaccine and survived is personal data for the purposes of section 3(2) of the DPA 2018.

18. "Personal data" is defined in section 3(2) of the DPA 2018 as "any information relating to an identified or identifiable living individual". Section 3(2) of the DPA 2018 defines "identifiable living individual" as a living individual who can be identified, directly or indirectly, in particular by reference to -

(i) an identifier, such as a name, an identification number, location data, or an online identifier, or

(ii) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

19. In its submissions to the Commissioner, NHS Dumfries and Galloway asserted that disclosure of the precise figure in response to part (iv) of question 3, which would put the information into the public domain, could lead to other information (also made available in response to an FOI request) being "paired" with it to identify individuals. NHS Dumfries and Galloway submitted that, if the same questions had been asked but split by gender and also age, it would be possible for individuals to be identified.

20. The two main elements of personal data are that the information must "relate to" a living person, and that the person must be identified - or identifiable - from the data, or from the data and other accessible information.

21. Information will "relate to" a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.

22. An individual is "identified" or "identifiable" if it is possible to distinguish them from other individuals.

23. In the case of Breyer v Bundesrepublik Deutschland (C-582/14)[1] the Court of Justice of the European Union looked at the question of identification. The Court took the view that the correct test to consider is whether there is a realistic prospect of someone being identified. When making that determination, account can be taken of the information in the hands of a third party. However, there must be a realistic causal link.

24. Although this decision was made before the UK GDPR and the DPA 2018 came into force, the Commissioner considers that the same rules will apply. In accordance with Recital 26 of the GDPR (the source of the UK GDPR), the determination of whether a natural person is identifiable should take account of all means reasonably likely to be used to identify the person, directly or indirectly. In considering what is reasonably likely, the Recital states that all objective factors should be taken into account, such as the costs and amount of time required for identification, taking into consideration the available technology at the time of processing and technological developments.

25. The Commissioner has considered NHS Dumfries and Galloway's submissions, together with the information that remains withheld. He is not satisfied that he has been provided with sufficiently persuasive arguments to conclude that disclosure would lead to the identification of individuals.

26. The Commissioner accepts that particular residents themselves, health care staff and relatives may be aware of whether a particular individual has been a recipient of a COVID-19 vaccine or not, and also whether they have survived. However, he does not accept that disclosure of the precise figure into the public domain in response to a FOISA request (such as this one) would increase the likelihood of those individuals being readily identifiable to anyone else.

27. NHS Dumfries and Galloway's argument about identification appears to proceed on the basis of other information about those individuals being disclosed in response to an FOI request, with which this information might be "paired" to permit identification. The Commissioner has seen no evidence that this has been done. (The possibility that it might be done in the future is immaterial in this case: the circumstances prevailing at that point would need to be considered before any further disclosure.) Nor has he been shown any submission or evidence to demonstrate that there is (and was at the time of the Applicant's request for review) other publicly available information that the Applicant could use to "pair" with the relevant precise figure, which would allow him, or others, to identify specific individuals.

28. In all the circumstances, therefore, the Commissioner does not accept that there is a realistic causal chain that could lead to the identification of living individuals as claimed by NHS Dumfries and Galloway. The Commissioner does not agree that those individuals would be identified, or identifiable, as a consequence of disclosure of the withheld information, with the result that the information does not qualify as personal data, as defined in section 3(2) of the DPA.

29. As the Commissioner is not satisfied that the information that has been withheld is personal data, he must find that NHS Dumfries and Galloway was not entitled to withhold the precise number which would fulfil part (iv) of question 3 of the Applicant's request, under section 38(1)(b) of FOISA.

30. The Commissioner therefore requires NHS Dumfries and Galloway to provide the Applicant with the precise number held which would fulfil part (iv) of question 3 of his request. (As noted above, during the investigation, NHS Dumfries and Galloway advised the Commissioner that it no longer wished to rely on the exemption in section 38(1)(d) of FOISA.)

Decision

The Commissioner finds that Dumfries and Galloway Health Board (NHS Dumfries and Galloway) failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant. The Commissioner finds that the information was incorrectly withheld under the exemption in section 38(1)(b) and 38(1)(d) of FOISA, with the result that NHS Dumfries and Galloway failed to comply with section 1(1) of FOISA.

As NHS Dumfries and Galloway has already disclosed the recorded information held which would fulfil parts (i), (ii) and (iii) of question 3 of the Applicant's request, he does not require it to take any action in relation to that information.

However, the Commissioner does require NHS Dumfries and Galloway to disclose the precise figure which fulfils part (iv) of question 3 of the Applicant's request, by 17 January 2022.

Appeal

Should either the Applicant or NHS Dumfries and Galloway wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If NHS Dumfries and Galloway fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that NHS Dumfries and Galloway has failed to comply. The Court has the right to inquire into the matter and may deal with NHS Dumfries and Galloway as if it had committed a contempt of court.

Margaret Keyse
Head of Enforcement
2 December 2021

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"personal data" and "processing" have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);

"the UK GDPR" has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

UK General Data Protection Regulation

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

f. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ("integrity and confidentiality").

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

(d) disclosure by transmission, dissemination or otherwise making available,

(5) "Data subject" means the identified or identifiable living individual to whom personal data relates.

(10) "The UK GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

(14) In Parts 5 to 7, except where otherwise provided -

(a) references to the UK GDPR are to the UK GDPR read with Part 2;

(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;

(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.