Home Decisions

Decision 014/2019

Decision 014/2019: Postcodes of patients

Public authority: Greater Glasgow and Clyde Health Board
Case Ref: 201801334

Summary

NHS GGC was asked for the full postcodes of patients attending an out of hours service at a hospital on a set date during a specified time.

NHS GGC disclosed the postcodes to four digits, but withheld the full postcodes under section 38(1)(b) of FOISA, considering the information to be the personal data of the patients and exempt from disclosure.

The Commissioner investigated and found that NHS GGC had complied with FOISA in responding to the request.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2A), (5) (definitions of "the data protection principles", "data subject", the GDPR, "personal data" and "processing") and (5A) (Personal information)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5) and (10) (Terms relating to the processing of personal data)

General Data Protection Regulation (the GDPR) Articles 5(1)(a) (Principles relating to processing of personal data); 6(1)(a) and (f) (Lawfulness of processing)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 29 January 2018, Mr D made a request for information to Greater Glasgow and Clyde Health Board (NHS GGC). Among other information, he asked for the full postcodes of the patients who had attended an Out Of Hours (OOH) service on a specified date and during a specified time.

2. NHS GGC responded on 26 February 2018. It disclosed part of the postcode (first four digits). NHS GGC considered that disclosure of the full postcode of each patient, in conjunction with other available information, would have the potential to identify individuals. NHS GCC considered the full postcode information was exempt from disclosure under section 38(1)(b) of FOISA (Personal information).

3. On 3 April 2018, Mr D emailed NHS GGC requesting a review of its decision on the basis that he did not consider that the information he had requested would identify any patient.

4. NHS GGC notified Mr D of the outcome of its review on 6 June 2018. It upheld its previous response, stating that the information was exempt under section 38(1)(b) of FOISA. It provided further reasoning why disclosure of a full postcode could identify an individual. NHS GGC also informed Mr D that his own personal data was being withheld under section 38(1)(a) of FOISA.

5. On 8 August 2018, Mr D applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr D stated he was dissatisfied with the outcome of NHS GGC's review because his request related to an event that happened over a year and half ago; therefore, he did not accept that individuals could be identified by disclosure of the information. He also submitted that people may have moved from the area (and therefore could no longer be identified from their postcode). He believed that disclosure was in the public interest because NHS GCC should be open and transparent in its workings and that all services it provides are fair, reasonable and without any kind of prejudice.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that Mr D made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

7. On 27 September 2018, NHS GGC was notified in writing that Mr D had made a valid application. NHS GGC was asked to send the Commissioner the information withheld from Mr D. NHS GGC provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. NHS GGC was invited to comment on this application and answer specific questions.

9. NHS GGC responded on 22 November 2018. It confirmed its view that the requested information was exempt from disclosure under section 38(1)(b) of FOISA and provided submissions to support its position.

10. On 26 November 2018, NHS GGC provided an explanation and supporting information to demonstrate how individuals could be identified if their postcode was disclosed.

11. Mr D provided comments on his legitimate interest in obtaining the withheld personal data. He also confirmed that he did not require the Commissioner to reach a decision on the withholding of his own personal data under section 38(1)(a) of FOISA.

Commissioner's analysis and findings

12. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both Mr D and NHS GGC. He is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) - Personal data

13. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data", as defined in section 3(2) of the DPA 2018 and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR.

14. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

15. In order to rely on this exemption, NHS GGC must show that the information being withheld is personal data for the purposes of the DPA 2018 and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Article 5(1) of the GDPR.

16. Here, NHS GGC argued that the postcodes were personal data and that disclosure would breach the data protection principle in Article 5(1)(a) of the GDPR, which states that personal data should be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Is the withheld information personal data?

17. The first question the Commissioner must address is whether the information is personal data for the purposes of section 3(2) of the DPA 2018. "Personal data" means any information relating to an identified or identifiable living individual."

18. NHS GGC explained that the data refers to a small number of individuals (38 in total) who attended the OOH service at the specified day and time. A number of the individuals would have been present in the waiting area at the same time as Mr D and their name would have been called out by a health professional. NHS GGC considered that the full postcode of each patient, from which an address or group of houses can be derived, together with the other information in the possession of Mr D, would allow individuals to be identified.

19. In its review response, NHS GGC advised Mr D that it had analysed the postcodes in conjunction with the postcode finder facility on the Royal Mail website. It showed that three of the patients live in postcode areas with five or fewer residences. A further seven patients live in postcode areas with fewer than 20 residences. The concentration of individuals living in these postcode areas is therefore much lower than in other areas; consequently, NHS GGC considered that there is a higher likelihood that identification would occur. In total, of the 38 patients who fall within the scope of Mr D's request, only nine live in a postcode area with more than 40 residences.

20. NHS GGC also noted in its review response that there is other information available in the public domain, such as map applications, which allow an individual to input a postcode which will then show the location on a map representation, or a street view of an actual property.

21. In conclusion, taking all these factors into account, NHS GGC submitted that there is a significant risk that providing the full postcode of a patient, together with additional information already in the possession of Mr D or accessible by him, would enable individuals to be identified.

22. The Court of Justice of the European Union looked at the question of identification in Breyer v Bundesrepublik Deutschland.[1] The Court said that the correct test to consider is whether there is a realistic prospect of someone being identified. In deciding whether there is a realistic prospect of identification, account can be taken of information in the hands of a third party. However, there must be a realistic causal chain - if the risk of identification is "insignificant", the information will not be personal data.

23. Public authorities responding to requests for numbers will therefore have to determine whether members of the public would be able (realistically) to identify individuals from the numbers, if disclosed.

24. In the circumstances, having considered NHS GCC's submissions and the withheld information, the Commissioner accepts the arguments put forward by NHS GGC, and is satisfied that there is a realistic prospect of individuals being identified should the full postcode information be disclosed.

25. Information which could identify individuals will only be personal data if it relates to those individuals. Information will "relate to" a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them or has them as its main focus.

26. Given the subject matter of the request, the information would clearly relate to the individuals. Consequently, the Commissioner accepts that the information is personal data, for the purposes of section 3(2) of the DPA 2018.

Would disclosure contravene one of the data protection principles?

27. As noted above, NHS GGC argued that disclosing the personal data would contravene Article 5(1)(a) of the GDPR. This requires personal data to be processed "fairly, lawfully and in a transparent manner in relation to the data subject."

28. The definition of "processing" is wide and includes (section 3(4)(d) of the DPA 2018), "disclosure by transmission, dissemination and otherwise making available."

29. In the case of FOISA, personal data is processed when it is disclosed in response to a request. This means that the personal data could only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the GDPR) and fair.

Lawful processing: Article 6(1)(a) and (f) of the GDPR

30. The Commissioner considers that conditions (a) and (f) of Article 6(1) of the GDPR are the only conditions which could potentially apply in the circumstances of this case.

31. Condition (a) states that processing will be lawful if the data subject has given consent to the processing of the data for one or more specific purposes. "Consent" is defined in Article 4 of the GDPR as:

"… any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."

32. NHS GGC advised the Commissioner that it had not asked the data subjects to consent to their personal data being disclosed. In the circumstances, the Commissioner is satisfied that there was no requirement on NGS GGC to have sought consent. In the absence of consent, condition (a) cannot be met.

33. Condition (f) states that personal data may be disclosed if processing "…is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data…"

34. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

35. The tests which must be met before Article 6(1)(f) can be met are as follows:

(a) Does Mr D have a legitimate interest in obtaining the personal data?

(b) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

(c) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects?

Does the person making the information request have a legitimate interest in obtaining the personal data?

36. NHS GGC submitted that Mr D has set out his interests in obtaining the information, which relate to whether there was any discrimination or prejudice towards patients from different areas, backgrounds or race.

37. In his correspondence with NHS GGC and the Commissioner, Mr D explained in detail his concerns as to the possibility of bias in the treatment of patients at the OOH service.

38. Taking all of the submissions into consideration, the Commissioner is of the view that Mr D has a legitimate interest in seeking the information in question.

Is the disclosure of the personal data necessary to achieve that legitimate interest?

39. The Commissioner will now consider whether Mr D's legitimate interest can be satisfied in any other way save by disclosure of the personal data in question.

40. In its submissions, NHS GGC identified other avenues that could be explored in assisting Mr D that would not require the disclosure of the requested information, including:

  • further discussion with the OOH service to explore Mr D's dissatisfaction with his experience of using the service, and his perception that other patients were seen sooner, having waited for a shorter time;
  • discussion with the Equalities team within NHS GGC to identify whether they are aware of particular issues such as Mr D has commented on;
  • discussion with the Glasgow Centre for Population Health, to identify whether they are aware of the issues raised by Mr D.

41. The decision for the Commissioner is whether disclosure of the personal data under FOISA is necessary and proportionate or whether Mr D's legitimate interests can be achieved by means which would interfere less with the privacy of the patients in question.

42. Having considered the matter in detail, the Commissioner is not satisfied that disclosure of the full postcode information is necessary to achieve Mr D's legitimate interests. In coming to this conclusion, the Commissioner has taken into account the suggestions made by NHS GGC, described above, and the fact that postcode information, by itself, is very unlikely to allow Mr D to determine whether there had in fact been discrimination or bias in his treatment.

43. Given that Mr D's legitimate interests can be met without requiring disclosure of the withheld personal data, the Commissioner finds that condition (f) of Article 6(1) of the GDPR cannot be satisfied. Accordingly, he accepts that disclosure of the personal data would be unlawful.

Fairness

44. Given that the Commissioner has concluded that the processing would be unlawful, he is not required to go on to consider separately whether disclosure of the personal data would otherwise be fair or transparent in relation to the data subjects.

45. The Commissioner therefore finds that the personal data is exempt from disclosure under section 38(1)(b) of FOISA.

Decision

The Commissioner finds that the Greater Glasgow and Clyde Health Board complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr D.

Appeal

Should either Mr D or NHS GGC wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
5 February 2019

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by NHS GGC.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"the GDPR", "personal data", "processing" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4), (10), (11) and 14 of that Act);

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to-

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as

(d) disclosure by transmission, dissemination or otherwise making available,

(5) "Data subject" means the identified or identifiable living individual to whom personal data relates.

(10) "The GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

General Data Protection Regulation

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

a. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.