***This decision has been appealed to the Court of Session by the applicant***
Decision 011/2008 Ms P and Scottish Commission for the Regulation of Care
Documentation provided by a service provider
Applicant: Ms P
Authority: Scottish Commission for the Regulation of Care
Case No: 200700284
Decision Date: 23 January 2008
Kevin Dunion
Scottish Information Commissioner
Request for information obtained from a Service Provider ? refused by Care Commission- decision upheld by Commissioner
Relevant Statutory Provisions and Other Sources
Freedom of Information (Scotland) Act 2002 (FOISA): sections 1(1) (General entitlement); 2 (Effect of exemptions);38(1)(a) and (b) (Personal information)
Data Protection Act 1998 (the DPA): section 1(1) (Basic interpretative provisions: definition of personal data and data subject); Schedule 1 (The data protection principles: first data protection principle)
The full text of each of these provisions is reproduced in the Appendix to this decision. The Appendix forms part of this decision.
Facts
Ms P requested from the Scottish Commission for the Regulation of Care (the Care Commission) documentation relating to an internal investigation carried out by a Service Provider into the death of her mother, held by the Care Commission for the purposes of its own related investigation.The Care Commission released one redacted document but refused to release information contained in a further two documents. The reason for refusal (and for the redactions) was that the information was exempt under the terms of sections 38 (Personal information) and 36 (Confidentiality) of FOISA.
Following a review, which generally upheld the original decision to withhold, Ms P applied to the Commissioner for a decision. The Commissioner investigated the case and found that the Care Commission had dealt with the request for information in accordance with Part 1 of FOISA, finding in particular that disclosure of the information would contravene at least one of the data protection principles and therefore that the information was exempt under section 38(1)(b) of FOISA.
Background
1.On 24 July 2006, Ms P requested from the Care Commission, through her solicitors, documentation which "may have been made available [to it] in relation to the internal investigation carried out by the Service Provider [into the death of Ms P's mother] and which was viewed as part of the Care Commissioner's investigation process [into complaints raised in relation to the death].
2.On 30 October 2006, the Care Commission wrote to Ms P's solicitors informing them that it was in possession of 3 documents;
a) Notification of Significant Events Form
b) Notes of an interview, and
c) Statement Record.
3.In relation to the Notification of Significant Events Form, the Care Commission released a copy with third party information redacted, citing the exemptions in sections 38 (personal information) and 36 (confidentiality) of FOISA as justification for the redactions. The Care Commission refused to release the information in the notes of an interview and the Statement Record, again citing both sections.
4.On 4 December 2006, Ms P's solicitors wrote to the Care Commission requesting a review of its decision to withhold information. The Care Commission responded to this request on 8 January 2007, upholding its original decision overall but releasing a further copy of the Notification of Significant Events Form with fewer redactions.
5.On 23 February 2007, Ms P's solicitors wrote to my Office on her behalf, stating that she was dissatisfied with the outcome of the Care Commission's review and applying to me for a decision in terms of section 47(1) of FOISA.
6.The application was validated by establishing that Ms P had made a request for information to a Scottish public authority and had applied to me for a decision only after asking the authority to review its response to that request.
The Investigation
7.On 30 April 2007, my office wrote to the Care Commission, giving notice that an application had been received and asking it to provide copies of the information withheld from Ms P. This was duly provided, along with a statementof the Care Commission's reasons for withholding the information, and the case was allocated to an investigating officer
8.During the investigation the Care Commission was asked to clarify the precise exemptions it was relying on in this case and further submissions were provided in response. At this point, the Care Commission indicated that although it did not apply section 35(1)(g) (law enforcement) of FOISA at the time of the review, it now considered it to be relevant.
The Commissioner's Analysis and Findings
9.In coming to a decision on this matter, I have considered all of the information and the submissions that have been presented to me by both the applicant and the Care Commission and I am satisfied that no matter of relevance has been overlooked.
10.The Care Commission advised that Ms P's own personal information was redacted from the Notification of Significant Events Form under section 38(1)(a) of FOISA. For this absolute exemption to apply, all that is required is that the information be personal data of the which the applicant (in this case Ms P) is the data subject, the terms "personal data" and "data subject" being defined for these purposes in section 1(1) of the DPA. Having considered the redactions made to this document under section 38(1)(a), I am satisfied that the Care Commission correctly applied and the exemption to this information. I note that this information was released to Ms P following a subject access request made under the DPA, which I would regard as the appropriate means of obtaining information of this kind. .
11.In relation to the remaining redactions in the Notification of Significant Events Form, the Care Commission initially relied on the exemptions in sections 36 (confidentiality) and 38 (personal data), clarifying in the course of the investigating that the particular exemptions claimed were those under sections 36(1) (which relates to information in respect of which a claim to confidentiality of communications could be maintained in legal proceedings) and 38(1)(b) (considered further below). They also indicated at that later point that the exemption in section 35(1)(g) of FOISA would apply.
12.The exemption in section 38(1)(b) is set out in full in the Appendix below. In considering whether it applies, the first question I have to address is whether the information redacted is in fact personal data. Having looked at the information I am satisfied that it is.The information in question clearly identifies certain individuals and is about those individuals. There are a number of circumstances in which personal data will be exempt under section 38(1)(b), including where the disclosure of the information to a member of the public otherwise than under FOISA would contravene any of the data protection principles (which are set out in Schedule 1 to the DPA).
13.The Care Commission has argued that disclosure of the information withheld in this case would contravene the first data protection principle. In particular, it has argued that due to the nature of the information its disclosure would cause the data subjects distress
14.The first data protection principle states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. In considering whether disclosure of personal information is fair, it is relevant to take into account whether or not the third party would expect that his/her information might be disclosed to others.
15.In relation to the redactions within the Notification of Significant Events Form, I am not satisfied that the data subjects would have had any reasonable expectation that the information would be disclosed to a member of the public and therefore accept that disclosure would be unfair and in breach of the first data protection principle.
16.The Care Commission also argued that section 38(1)(b) applied to the information in the interview notes and Statement Record. I accept that this information clearly identifies and is about certain individuals and therefore that it is their personal data. I note the Care Commission argues that disclosure of this information would also breach the first data protection principle.Having considered the information in question, once again I accept that the data subjects would have had no reasonable expectation that it would be disclosed to a member of the public and therefore accept that disclosure would be unfair and in breach of the first data protection principle.
17.The exemption in section 38(1)(b) is an absolute exemption, which means that public interest cannot be taken into account when considering whether or not information should be withheld under it.
18.Since I have accepted that all of the information withheld is exempt under section 38(1)(b) of FOISA, I am not required to (and therefore will not) consider further the other exemptions claimed by the Care Commission.
Decision
I find that the Scottish Commission for the Regulation of Care acted in accordance with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to Ms P's information request, the information withheld being properly exempt under section 38(1)(b) of FOISA.
Appeal
Should either Ms P or the Scottish Commission for the Regulation of Care wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only.Any such appeal must be made within 42 days after the date of intimation of this notice.
Kevin Dunion
Scottish Information Commissioner
23 January 2008
Appendix
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
2 Effect of exemptions
(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that ?
(a) the provision does not confer absolute exemption; and
(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.
(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption ?
?
(e) in subsection (1) of section 38 ?
(i) paragraphs (a), (c) and (d); and
(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.
38Personal information
(1) Information is exempt information if it constitutes-
(a) personal data of which the applicant is the data subject;
(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;
(?)
(2) The first condition is-
(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-
(i) any of the data protection principles; or
(?)
(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.
Data Protection Act 1998
1 Basic interpretative provisions
(1) In this Act, unless the context otherwise requires-
?
"personal data" means data which relate to a living individual who can be identified-
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual
?
Schedule 1 ? The data protection principles
Part 1 ? The principles
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
