Decision 012/2019: Data protection awareness training

Public authority: Dumfries and Galloway Health Board
Case Ref: 201801161

Summary

NHS Dumfries and Galloway was asked for information relating to data protection awareness training for psychologists.

It withheld some of the information under section 38(1)(b) of FOISA, considering it to be personal data exempt from disclosure.

The Commissioner investigated and agreed that the information was properly withheld.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2A), (5) (definitions of "the data protection principles", "data subject", "the GDPR", "personal data" and "processing") and (5A) (Personal information)

Data Protection Act 2018 (the DPA 2018) section 3(2), (3), (4)(d), (5) and (10) (Terms relating to the processing of personal data)

General Data Protection Regulation (the GDPR) Article 5(1)(a) (Principles relating to processing of personal data), Article 6(1) (a) and (f) (Lawfulness of processing)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 27 May 2018, Mr B made a request for information to Dumfries and Galloway Health Board (NHS Dumfries and Galloway). The request stated:

Your Data Protection policy states: "f) Data Protection Awareness training will be provided to staff every two years to keep them better informed of relevant legislation and guidance regarding the processing of personal information."

(i)Please provide the dates in the last three years when the psychologists at Lifespan Intellectual Disability completed their Data Protection Awareness training.

(ii)What is the name of the training course?

To avoid this becoming personal data, please anonymise the data by using descriptions such as Psychologist A, Psychologist B etc.

(iii) Were there any psychologists who did not complete their Data Protection Awareness training within the last three years? If so, how many?

(iv) How many psychologists work at the Lifespan Intellectual Disability department?

2. NHS Dumfries and Galloway responded on 14 June 2018, disclosing the information on the name of the training course, but withholding the other information under sections 38(1)(b) and 36(2) of FOISA.

3. On 18 June 2018, Mr B wrote to NHS Dumfries and Galloway, requesting a review of its decision on the basis that he did not agree with the withholding of the remaining information. He reiterated that he had not asked for names or job titles.

4. NHS Dumfries and Galloway notified Mr B of the outcome of its review on 6 July 2018. It upheld the application of sections 38(1)(b) and 36(2) of FOISA, noting that the individual(s) concerned numbered less than five (i.e. "one or two") and that training (whether mandatory or optional) related to the individual staff members and not to the roles they were undertaking with NHS Dumfries and Galloway.

5. On 10 July 2018, Mr B wrote to the Commissioner. He applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr B stated he was dissatisfied with the outcome of NHS Dumfries and Galloway's review because he did not believe he was asking for personal data and therefore the exemptions could not apply.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that Mr B made a request for information to a Scottish public authority and asked NHS Dumfries and Galloway to review its response to that request before applying to him for a decision.

7. On 3 September 2018, NHS Dumfries and Galloway was notified in writing that Mr B had made a valid application. NHS Dumfries and Galloway was asked to send the Commissioner the information withheld from Mr B. NHS Dumfries and Galloway provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. NHS Dumfries and Galloway was invited to comment on this application, with specific reference to the requirements of section 38(1)(b) of FOISA.

9. Mr B was also invited to comment on any legitimate interests he believed disclosure of the information would satisfy.

10. Submissions were received from both Mr B and NHS Dumfries and Galloway.

Commissioner's analysis and findings

11. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both Mr B and NHS Dumfries and Galloway. He is satisfied that no matter of relevance has been overlooked.

12. The Commissioner will firstly consider section 38(1)(b) of FOISA.

Section 38(1)(b) - Personal data

13. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR.

14. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

15. In order to rely on this exemption, NHS Dumfries and Galloway must show that the information being withheld is personal data for the purposes of the DPA 2018 and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Article 5(1) of the GDPR. NHS Dumfries and Galloway provided submissions relating to the principles in paragraphs (a) and (b) of Article 5(1).

Is the withheld information personal data?

16. The first question the Commissioner must address is whether the information is personal data for the purposes of section 3(2) of the DPA 2018. The definition is set out in full in Appendix 1.

17. Parts (iii) and (iv) of Mr B's request concern numbers of individuals. Part (i) refers to dates of training.

18. In his application to the Commissioner, Mr B stated that NHS Dumfries and Galloway refused to disclose the information because it was personal information, but he was not seeking personal information.

19. NHS Dumfries and Galloway submitted that the information regarding training related to particular individual(s). The training was specific to the individual(s) and not to the role(s) they undertook for NHS Dumfries and Galloway.

20. The Court of Justice of the European Union looked at the question of identification in Breyer v Bundesrepublik Deutschland[1]. The Court said that the correct test to consider is whether there is a realistic prospect of someone being identified. In deciding whether there is a realistic prospect of identification, account can be taken of information in the hands of a third party. However, there must be a realistic causal chain - if the risk of identification is "insignificant", the information will not be personal data.

21. Public authorities responding to requests for numbers will therefore have to determine whether members of the public would be able (realistically) to identify individuals from the numbers, if they are disclosed.

22. The Commissioner is of the view that due to the small number of psychologists employed by NHS Dumfries and Galloway ("one or two"), there would be a realistic prospect of identifying the data subject(s). The data subject(s) could be identified, directly or indirectly (taking the withheld information with other accessible information), by reference to their employment with NHS Dumfries and Galloway. Given the numbers involved, the Commissioner is not satisfied that the information could be anonymised successfully.

23. The Commissioner therefore concludes that the information being withheld under points (i), (iii) and (iv) of Mr B's request comprise personal data.

24. Having considered whether any of this information would fall within any of the special categories of personal data, under which processing is prohibited by Article 9 of the GDPR, the Commissioner is satisfied that it would not.

Which of the data protection principles would be contravened by disclosure?

25. In its submissions, NHS Dumfries and Galloway made reference to Articles 5 and 6 of the GDPR. Among other data protection principles, it referred to that in Article 5(1)(a) of the GDPR. Article 5(1)(a) states that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. In terms of section 3(4) of the DPA 2018, disclosure is a form of processing.

26. Among other questions, therefore, the Commissioner must consider if disclosure of the personal data would be lawful. In considering lawfulness, he must consider whether any of the conditions in Article 6 of the GDPR would allow the data to be disclosed.

27. The Commissioner considers conditions (a) and (f) in Article 6(1) to be the appropriate conditions for consideration in this case.

28. Condition (a) states that the processing will be lawful if the data subject has given consent to the processing of his or her personal data for one or more specific purposes. "Consent" is defined in Article 4 of the GDPR as-

"… any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;"

In terms of Article 7(1), the data controller (in this case, NHS Dumfries and Galloway) must be able to demonstrate that the required consent exists.

29. Condition (f) states that the processing will be lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data (in particular where the data subject is a child).

Condition (a)

30. NHS Dumfries and Galloway submitted that the data subject(s) had been asked for consent and objected to disclosure of their personal data. It submitted that the data subject(s) were fully informed of the request and confirmed their refusal freely.

31. The Commissioner has taken account of all the submissions made by NHS Dumfries and Galloway on this matter and accepts that it is reasonable to conclude that the data subject(s) did not give the required consent for their personal data to be disclosed.

32. Therefore, he concludes that condition (a) does not allow for disclosure of the information.

Condition (f)

Does the person making the information request have a legitimate interest in obtaining the personal data?

33. NHS Dumfries and Galloway submitted that Mr B did not have a legitimate purpose in seeking the information, other than to harm the reputation(s) of the psychologist(s) concerned. It provided further information on why it believed this to be the case.

34. Mr B stated that it was in his interest to know if NHS Dumfries and Galloway's psychologists were being properly trained in data protection matters, explaining his connection with the service in question. He stated that he wished to be reassured that the psychologists were adequately trained in protecting personal data.

35. In a wider sense, he argued that it was an indication of how well senior management of a public body ensured that their staff followed compulsory training and other rules.

36. Having considered the submissions from both NHS Dumfries and Galloway and Mr B, the Commissioner is of the view that Mr B does have a legitimate interest in seeking the information in question for the reasons set out in paragraph 34.

Is the disclosure of the personal data necessary to achieve that legitimate interest?

37. The Commissioner will now consider whether or not that legitimate interest can be satisfied in any other way apart from disclosure of the personal data in question.

38. It is the Commissioner's view that the information in question regarding the number of psychologists employed and their data protection awareness training could only be obtained through disclosure by NHS Dumfries and Galloway. Mr B would not be able to obtain this information in any other way. This is not information which is obviously in the public domain. In all the circumstances, the Commissioner accepts that disclosure would be necessary to achieve Mr B's legitimate interests in this case.

Even if the processing is necessary to achieve that legitimate interest, is that overridden by the interests or fundamental rights and freedoms of the data subject(s)?

39. Finally, the Commissioner must go on to consider whether or not the interests, fundamental rights and freedoms of the data subject(s) carry more weight than the legitimate interests of Mr B.

40. In the Commissioner's guidance[2] on section 38 of FOISA, he notes a number of factors which should be taken into account in carrying out the balancing exercise. These include:

(i) whether the information relates to the individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances)

(ii) the potential harm or distress that may be caused by the disclosure

(iii) whether the individual objected to the disclosure

(iv) the reasonable expectations of the individual as to whether the information should be disclosed.

41. NHS Dumfries and Galloway submitted that the training in question was required for all employees for their own development and was not role-specific. The Commissioner accepts this, and acknowledges that such training would be relevant to employment outwith NHS Dumfries and Galloway. As such, it could reasonably be deemed to relate to the trainees as individuals rather than as employees of the public authority.

42. As noted above, it can be seen that the data subject(s) did not give permission for their personal data to be disclosed into the public domain. NHS Dumfries and Galloway also provided the Commissioner with submissions as to why such disclosure could cause potential harm and distress to them.

43. In all the circumstances, the Commissioner is satisfied that NHS Dumfries and Galloway has provided sufficient evidence to show that the data subject(s) has/have a reasonable expectation that these personal information would not be disclosed into the public domain. The matter of whether or not specific training has been undertaken could have a bearing on the professional standing of the data subject(s) in question and it could be argued that it should be their choice as to whether, and if so when, they wish to disclose such information.

44. Having balanced the legitimate interests of the data subject(s) against those of Mr B, the Commissioner finds that any legitimate interests served by disclosure of the withheld personal data would not outweigh the unwarranted prejudice that would result in this case to the rights and freedoms or legitimate interests of the individual(s) in question. In the circumstances of this particular case, the Commissioner concludes that condition (f) in Article 6(1) of the GDPR cannot be met in relation to the withheld personal data.

45. As no condition in Article 6(1) of the GDPR can be met, the Commissioner must regard disclosure of the withheld personal data as unlawful.

46. Given that disclosure would be unlawful, the Commissioner is not required to go on to consider separately whether disclosure would otherwise be fair and transparent in relation to the data subject(s).

47. In all the circumstances, therefore, the principle in Article 5(1)(a) of the GDPR cannot be met and the Commissioner finds that the information was properly withheld under section 38(1)(b) of FOISA.

48. As the Commissioner has upheld the application of section 38(1)(b) of FOISA, he is not required to go on to consider section 36(2) in this case.

Decision

The Commissioner finds that NHS Dumfries and Galloway complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr B.

Appeal

Should either Mr B or NHS Dumfries and Galloway wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
5 February 2019

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

…

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

…

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

…

(e) in subsection (1) of section 38 -

…

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

38 Personal information

(1) Information is exempt information if it constitutes-

…

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A));

…

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

…

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"the GDPR", "personal data", "processing" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4), (10), (11) and 14) of that Act);

…

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

…

Data Protection Act 2018

3 Terms relating to the processing of personal data

This section has no associated Explanatory Notes

…

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to-

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as-

…

(d) disclosure by transmission, dissemination or otherwise making available,

…

(subject to subsection (14)(c) and sections 5(7), 29(2) and 82(3), which make provision about references to processing in the different Parts of this Act).

(5) "Data subject" means the identified or identifiable living individual to whom personal data relates.

…

(10) "The GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

General Data Protection Regulation

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

…

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

a. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

…

f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

---