Home Decisions

Decision 019/2019

Decision 019/2019: Numbers of operations cancelled for non-clinical reasons

Public authority: Lothian Health Board
Case Ref: 201801862

Summary

NHS Lothian was asked for the number of operations cancelled for non?clinical reasons, broken down by reason.

NHS Lothian disclosed some information, but withheld data where the figures were "five or less" on the basis that it considered the information to be personal data, disclosure of which would breach the data protection principles.

The Commissioner did not accept that the information was personal data and required NHS Lothian to disclose it.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b) and (5) (definition of "personal data") (Personal information)

Data Protection Act 2018 (the DPA 2018) section 3(2) and (3) (definition of "personal data" (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 31 August 2018, Ms R made a request for information to Lothian Health Board (NHS Lothian). The information requested was, for each of the past five financial years (2013/14 to 2017/18):

… the total number of operations cancelled for non-clinical reasons, broken down by the cause of the cancellation, for example due to lack of beds, operating theatre capacity, staffing issues and equipment failures.

In the total number of operations, broken down by cancellation reason, please include:

  • Elective operations cancelled at the last minute. For the purposes of this request, "last minute" means on the day the patient was due to arrive, after the patient has arrived in hospital or on the day of the operation or surgery.
  • Cancelled urgent operations.

If data is collected by the trust, please also provide a separate total for each year for all operations cancelled for non-clinical reasons, regardless of how soon before the scheduled operation time the cancellation occurred.

2. NHS Lothian responded on 24 September 2018, disclosing the majority of the information requested. It withheld figures of "five or less" (including totals including figures of "five or less") under section 38(1)(b) (Personal information) of FOISA. NHS Lothian explained it had withheld these figures to protect the identity of the individual(s) involved and, as it did not have their consent to disclosure, disclosing this information would breach the Data Protection Act.

3. On 1 October 2018, Ms R wrote to NHS Lothian, requesting a review of its decision to withhold figures of "five or less". She did not believe the test for applying section 38(1)(b) had been fully applied. Ms R argued that the information was not personal data and so section 38(1)(b) did not apply.

4. NHS Lothian notified Ms R of the outcome of its review on 18 October 2018, upholding its original decision in full. Acknowledging it would have been possible initially to aggregate the data to remove figures of "five or less", it explained this was now not an option as, combined with the data originally disclosed, it could lead to the identification of the figures/individuals.

5. NHS Lothian stated the data supplied was similar to information published and made available to clinicians and managers not involved with the service. It provided Ms R with a link to the NHS National Services Information Services Division (ISD) statistical disclosure protocol[1]. As it was not clear to NHS Lothian why more detail than "five or less" was required (as this might lead to individuals being identified), it advised Ms R to make a Caldicott request (to its Caldicott Guardian) or a confidential data request to ISD.

6. On 26 October 2018, Ms R wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. Ms R stated she was dissatisfied with the outcome of NHS Lothian's review because she believed the test for section 38(1)(b) had not been fully applied to withhold figures of "five or less", noting that she did not consider the information to be personal data (and so it could not be exempt under section 38(1)(b)). She expanded on why she did not consider identification of the individuals concerned to be a realistic prospect.

Investigation

7. The application was accepted as valid. The Commissioner confirmed that Ms R made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

8. On 29 November 2018, NHS Lothian was notified in writing that Ms R had made a valid application. NHS Lothian was asked to send the Commissioner the information withheld from Ms R. NHS Lothian provided the information and the case was allocated to an investigating officer.

9. On comparing the withheld information with that disclosed, the Investigating Officer identified that two of the "five or less" figures were present in the information previously disclosed to Ms R.

10. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. NHS Lothian was invited to comment on this application and to answer specific questions, focusing on the application of data protection legislation to the withheld information. It was also asked to comment on why, in the information disclosed to Ms R, two of the figures released were "five or less".

11. As NHS Lothian was withholding the information under the exemption in section 38(1)(b), Ms R was also invited to comment on her legitimate interest in obtaining the information.

12. Both parties provided submissions to the Commissioner.

Commissioner's analysis and findings

13. In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both Ms R and NHS Lothian. He is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) - Personal information

14. NHS Lothian withheld some of the information requested by Ms R (namely figures of "five or less") on the basis that it was exempt from disclosure under section 38(1)(b) of FOISA.

15. Ms R argued that the test for applying section 38(1)(b) had not been fully applied: the information was not personal data and was therefore not exempt under section 38(1)(b).

16. The exemption in section 38(1)(b) of FOISA is not subject to a public interest test in the same way as some other exemptions. The test for section 38(1)(b), as applied by NHS Lothian in this case, is whether disclosure would breach any of the data protection principles in Article 5(1) of the General Data Protection Regulation (the GDPR).

17. The Commissioner must decide whether NHS Lothian was correct to withhold the figures of "five or less", in the information requested by Ms R, under section 38(1)(b). He will consider whether the tests required for section 38(1)(b) to apply have been met.

Is the information personal data?

18. The first point the Commissioner must consider is whether the information is personal data in terms of section 3(2) of the DPA 2018. Read with section 3(3), section 3(2) incorporates the definition in Article 4(1) of the GDPR:

… any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

The definition of personal data is set out in full in Appendix 1.

19. In its submissions to the Commissioner, NHS Lothian acknowledged that the figures requested were annual figures covering the entire health board area. However, it took the view that releasing the majority of the "five or less" figures, some of which were "ones and twos", could not only identify a patient, but also potentially a third party or a staff member, due to the particular circumstances of cases. It explained that figures of "five or less" were disclosed to staff on a "need to know" basis only, and external disclosure would provide more identifiable data than normally permitted under its disclosure control policy. Disclosure of low figures, NHS submitted, could identify a natural person (the data subject) directly or indirectly.

20. NHS Lothian further submitted that small numbers might relate to individuals or their acquaintances: the data referred to them, and so it was standard NHS practice not to publish small numbers in relation to healthcare provision statistics.

21. In the case of Breyer v Bundesrepublik Deutschland[2] the Court of Justice of the European Union looked at the question of identification. The Court took the view that the correct test to consider is whether there is realistic prospect of someone being identified. When making that determination, account can be taken of information in the hands of a third party. However, there must be a realistic causal chain - if the risk of identification is insignificant, the information will not be personal data.

22. Although this decision was made before the GDPR and the DPA 2018 came into force, the Commissioner expects that the same rules will apply. Recital (26) of the GDPR bears this out and confirms that data should be considered anonymous (and therefore no longer subject to the GDPR) when the data subject(s) is/are no longer identifiable.

23. NHS Lothian was asked to explain why there was a realistic prospect that individuals could be identified as a result of disclosure and to provide examples of this. In response, it referred to a letter in "The Lancet"[3], submitting this gave an example of the release of data (namely a point on a map) from which a patient's community was able to identify them from prior knowledge. In that case, it explained, local residents used information available elsewhere to identify a specific individual with a healthcare-associated infection obtained in another country. NHS submitted this was a good example of how what appeared to be non?personal data actually were personal data.

24. NHS Lothian acknowledged that the two "five or less" figures in the information released to Ms R were disclosed in error.

25. In her submissions to the Commissioner, Ms R argued that the information was not personal data as individuals were not "identifiable". In her view, there was no reason the information could not be disclosed as the exemption did not apply. She contended that any privacy rights were non-existent as they could only apply to personal data.

26. The Commissioner's briefing on section 38 (Personal information)[4] provides that the two main elements of personal data are that the information must "relate to" a living person; and that person must be identified - or identifiable - from the data, or from the data and other information.

27. Information will "relate to" a person if it is about them, linked to them, has some biographical significance for them, is used to inform decisions affecting them, has them as its main focus or impacts them in any way.

28. An individual is "identified" or "identifiable" if it is possible to distinguish them from other individuals. There may be a slight hypothetical possibility that someone might be able to reconstruct the data in such a way that identifies the individual, but this is not necessarily sufficient to make the individual identifiable.

29. The Commissioner has considered NHS Lothian's submissions. He is not satisfied that he has been provided with sufficiently compelling arguments to conclude that disclosure would lead to the identification of individuals.

30. NHS Lothian argued that disclosure of low numbers could result in identification, referencing an example in support of its position. Having considered this example, the Commissioner is unclear as to how disclosure led directly to identification of the individual involved. In any event, the other information available elsewhere was specific and particularly unique to that case.

31. In this case, the Commissioner considers NHS Lothian's submissions on the potential to identify an individual to be hypothetical and without substance, particularly when taking account of the breakdown of reasons for cancelling operations, all of which appear to be fairly generic. Furthermore, Ms R's request did not seek any further details (e.g. the medical conditions or the nature of the operation), only the number of operations cancelled broken down by reason.

32. The Commissioner has given regard to the information covering full years and the entire NHS Lothian area which (according to its website) has a population of circa 800,000. The information lists generic reasons for cancelling operations, and is in no sense biographical in the format in which it is presented. Given the size of the population, the timespan covered and the generic reasons for cancellation, the Commissioner is not satisfied that there would be a realistic possibility of this information making a meaningful contribution to identification of the individuals concerned. Individuals may be able to confirm that they, or those close to them, are one of those in a particular "five or less" cell, but they will know that anyway: the withheld information will not contribute to identifying the individual concerned.

33. Regarding disclosure of the two "five or less" figures which NHS has acknowledged it disclosed in error, the Commissioner notes that NHS Lothian has not provided any submissions to the effect that this disclosure resulted in any individuals being identified.

34. The Commissioner notes that it is standard NHS practice not to publish "five or less" healthcare figures. However, he is strongly of the view that when considering disclosure of low numbers in response to an information request under FOISA, the determination must be done on a case-by-case basis, and public authorities must avoid adopting a "blanket" approach.

35. In this case, therefore, taking account of all the circumstances, the Commissioner is not persuaded that there is a realistic prospect of individuals being identified from disclosure of the information in question. Having taken account of the arguments presented by both parties, he is of the view that the risk of identification is insignificant and consequently the information is not personal data.

36. As the Commissioner is not satisfied that this information is personal data, he must find that NHS Lothian was not entitled to withhold the information under section 38(1)(b) of FOISA.

37. The Commissioner therefore requires NHS Lothian to disclose the information to Ms R.

Decision

The Commissioner finds that Lothian Health Board (NHS Lothian) failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Ms R. NHS Lothian wrongly withheld information under section 38(1)(b) (Personal information) of FOISA on the basis that it was personal data.

The Commissioner therefore requires NHS Lothian to provide Ms R with the information withheld by 1 April 2019.

Appeal

Should either Ms R or NHS Lothian wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If NHS Lothian fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that NHS Lothian has failed to comply. The Court has the right to inquire into the matter and may deal with NHS Lothian as if it had committed a contempt of court.

Margaret Keyse
Head of Enforcement
13 February 2019

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(5) In this section-

… "personal data" … [has] the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4), (10), (11) and (14) of that Act);


Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to-

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

[1] http://www.isdscotland.org/About-ISD/Confidentiality/disclosure_protocol_v3.pdf

[2] http://curia.europa.eu/juris/document/document.jsf?docid=184668&doclang=EN

[3] https://www.thelancet.com/journals/laninf/article/PIIS1473-3099(10)70243-7/fulltext

[4] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx