Decision 032/2014 | Scottish Information Commissioner

Home Decisions

Decision 032/2014

Decision 032/2014 Mr Colin Kerr and Dumfries and Galloway Health Board

Staff attendance sheets, training and annual leave dates

Reference No: 201302805/7/8
Decision Date: 18 February 2014

Summary

On 7 February 2013, 30 March 2013 and 6 September 2013, Mr Kerr asked Dumfries and Galloway Health Board (NHS Dumfries and Galloway) for various items of information relating to the authority's staff. NHS Dumfries and Galloway withheld information on the basis that the information was personal data and exempt because disclosure would breach the first data protection principle.

Following an investigation, the Commissioner accepted NHS Dumfries and Galloway's position and found that the authority was entitled to withhold the information.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definitions of "data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions) (definition of "personal data"); Schedule 1 (The data protection principles, Part I: the principles) (the first data protection principle) and Schedule 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (condition 6)

The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision. The Appendix forms part of this decision.

Background

Request 1

1. On 7 February 2013, Mr Kerr wrote to NHS Dumfries and Galloway, requesting the following information:

a) The domestic staff signing in-out sheets for night shift for specified dates, when he stated staffing was at a reduced level;

b) The equivalent information for other specified dates, when he stated staffing was at a more normal level.

2. NHS Dumfries and Galloway responded on 19 February 2013. It provided numbers of domestic staff on duty for the dates specified at 1(b) above, and confirmed that it had already provided the equivalent figures for the dates specified at 1(a). It informed Mr Kerr that the actual sheets were being withheld under section 38 of FOISA on the basis that they comprised the personal data of the staff concerned.

3. On 31 March 2013, Mr Kerr wrote to NHS Dumfries and Galloway, requesting a review of its decision. He confirmed that any personal data could be redacted from the information.

4. NHS Dumfries and Galloway notified Mr Kerr of the outcome of its review on 29 April 2013, upholding its original decision without modification.

Request 2

5. On 30 March 2013, Mr Kerr wrote to NHS Dumfries and Galloway requesting the dates when specified porter-domestics were first trained. He confirmed that he did not require personal details.

6. NHS Dumfries and Galloway responded on 16 April 2013. It explained the training provided to porter-domestics, but refused to disclose individual training dates on the basis that these might identify the staff concerned.

7. On 27 May 2013, Mr Kerr wrote to NHS Dumfries and Galloway, requesting a review of its decision. He did not believe the individuals could be identified from their training dates.

8. NHS Dumfries and Galloway notified Mr Kerr of the outcome of its review on 13 June 2013, upholding its original decision without modification.

Request 3

9. On 6 September 2013, Mr Kerr wrote to NHS Dumfries and Galloway, requesting the holiday/annual leave dates (within a specified period) for two named individuals.

10. NHS Dumfries and Galloway responded on 12 September 2013, stating that the requested information was exempt in terms of section 38(1)(b) of FOISA.

11. On 23 September 2013, Mr Kerr wrote to NHS Dumfries and Galloway, requesting a review of its decision.

12. NHS Dumfries and Galloway notified Mr Kerr of the outcome of its review on 1 October 2013, upholding its original decision without modification.

The applications

13. On 16, 17 and 18 November 2013, Mr Kerr wrote to the Commissioner's office, stating that he was dissatisfied with the outcome of each of NHS Dumfries and Galloway's reviews and applying to the Commissioner for a decision in respect of each of his requests, in terms of section 47(1) of FOISA.

14. The applications were validated by establishing that Mr Kerr made requests for information to a Scottish public authority and applied to the Commissioner for a decision only after asking the authority to review its responses to those requests. Given the subject matter of the three requests and the manner in which they were dealt with by the authority, the Commissioner considered it appropriate to address all three of Mr Kerr's applications in a single decision.

Investigation

15. NHS Dumfries and Galloway was notified in writing that the three applications had been received from Mr Kerr and was asked to provide the Commissioner with any information withheld from him. NHS Dumfries and Galloway responded with the information requested and the cases were then allocated to an investigating officer.

16. The investigating officer subsequently contacted NHS Dumfries and Galloway, giving it an opportunity to provide comments on the applications (as required by section 49(3)(a) of FOISA) and asking it to respond to specific questions. The investigating officer's questions focused on NHS Dumfries and Galloway's application of section 38(1)(b) of FOISA: NHS Dumfries and Galloway responded with full submissions on these points.

17. Mr Kerr provided submissions as to why he required the information.

Commissioner's analysis and findings

18. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr Kerr and NHS Dumfries and Galloway. She is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) - Personal Information

19. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or (2)(b) (as appropriate) exempts personal data if its disclosure to a member of the public, otherwise than under FOISA, would contravene any of the data protection principles.

20. NHS Dumfries and Galloway submitted that the withheld information in each of the three requests was personal data for the purposes of the DPA and that its disclosure would contravene the first data protection principle. It further submitted that disclosure of the information in response to requests 1 and 2 would breach the second data protection principle. Therefore, it argued that the information was exempt under section 38(1)(b) of FOISA.

21. In considering the application of this exemption, the Commissioner will first consider whether the information in question is personal data as defined in section 1(1) of the DPA. If it is, she will go on to consider whether disclosure of the information would breach the first and (if necessary) the second data protection principle as claimed.

22. This particular exemption is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

Is the information under consideration personal data?

23. "Personal data" are defined in section 1(1) of the DPA as "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller" (the full definition is set out in the Appendix).

24. The Commissioner has considered the submissions received from NHS Dumfries and Galloway and Mr Kerr on this point, along with the withheld information. She is satisfied that living individuals could be identified from the information, either by itself or with other information reasonably likely to be accessible to Mr Kerr (and others). In the circumstances, she does not believe it would be possible to anonymise the information fulIy, thus removing the risk of identification. Given the nature of the information, the Commissioner finds that it relates to the individuals concerned. Consequently, the Commissioner accepts that the information would be those individuals' personal data, as defined by section 1(1) of the DPA.

The first data protection principle

25. The first data protection principle states that personal data shall be processed fairly and lawfully. The processing in this case would be disclosure of the information into the public domain in response to Mr Kerr's request. The first principle also states that personal data shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met. In the case of sensitive personal data, as defined in section 2 of the DPA, at least one of the conditions in schedule 3 to the DPA must also be met: having considered the information, the Commissioner does not consider it to fall into any of the categories of sensitive personal data in section 2 of the DPA.

26. The Commissioner will now consider whether there are any conditions in Schedule 2 which would permit the withheld personal data to be disclosed. If any of these conditions can be met, she must then consider whether the disclosure of the personal data would be fair and lawful.

27. There are three separate aspects to the first data protection principle: (i) fairness, (ii) lawfulness and (iii) the conditions in the schedules. These three aspects are interlinked. For example, if there is a specific condition in Schedule 2 which permits the personal data to be disclosed, it is likely that the disclosure will also be fair and lawful.

Can any of the conditions in Schedule 2 be met?

28. In the circumstances, it appears to the Commissioner that condition 6 in Schedule 2 is the only one which might permit disclosure to Mr Kerr. In any event, neither Mr Kerr nor NHS Dumfries and Galloway has argued that any other condition would be relevant. Condition 6 allows personal data to be processed if the processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject (the individual(s) to whom the data relate).

29. There are, therefore, a number of different tests which must be satisfied before condition 6 can be met. These are:

a. Is Mr Kerr pursuing a legitimate interest or interests?

b. If yes, is the processing involved necessary for the purposes of those interests? In other words, is the processing proportionate as a means and fairly balanced as to ends, or could these interests be achieved by means which interfere less with the privacy of the data subject?

c. Even if the processing is necessary for Mr Kerr's legitimate interests, is that processing nevertheless unwarranted in this case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?

30. There is no presumption in favour of the disclosure of personal data under the general obligation laid down by section 1(1) of FOISA. Accordingly, the legitimate interests of Mr Kerr must outweigh the rights and freedoms or legitimate interests of the data subjects before condition 6 will permit the personal data to be disclosed. If the two are evenly balanced, the Commissioner must find that NHS Dumfries and Galloway was correct to refuse to disclose the personal data to Mr Kerr.

Is the applicant pursuing a legitimate interest or interests?

31. NHS Dumfries and Galloway did not consider Mr Kerr to be pursuing a legitimate interest in relation to any of his requests.

32. In relation to request 1, Mr Kerr believed the signing in-out sheets contradicted figures provided by NHS Dumfries and Galloway previously. In relation to request 2, he believed NHS Dumfries and Galloway's staff training, or the lack of it, to be a matter of public concern. In relation to request 3, he referred to potential conduct issues.

33. Having considered all relevant submissions, the Commissioner accepts that, objectively speaking, the issues identified by Mr Kerr are ones in which he, and the wider public, have legitimate interests.

Is disclosure necessary for the purposes of these interests?

34. Noting that Mr Kerr had made clear in seeking a review in relation to request 1 that he was interested in how many staff were on duty on the specified night shifts, NHS Dumfries and Galloway confirmed that Mr Kerr had been provided with the relevant numbers (thus satisfying any interest he might have).

35. More generally, NHS Dumfries and Galloway submitted that it had internal policies and procedures in place to address any legitimate concerns Mr Kerr might wish to raise. These had been drawn to Mr Kerr's attention, but he did not appear to have chosen to follow them. In addition, the authority referred to occasions on which it had given Mr Kerr the opportunity to discuss matters with its Corporate Business Manager, to explore how it might help him further.

36. Having considered the withheld information and all relevant submissions she has received, the Commissioner finds that Mr Kerr's legitimate interests could be met by means which would not involve disclosure of the withheld personal data. She would encourage Mr Kerr to pursue these. In the circumstances, she does not consider disclosure of the personal data to be necessary for the purposes of his legitimate interests, with the result that condition 6 cannot be met.

37. Given this conclusion, the Commissioner finds that there is no condition in Schedule 2 which would permit disclosure of the personal data under consideration. In the absence of a condition permitting disclosure, that disclosure would be unlawful. Consequently, the Commissioner finds that disclosure would breach the first data protection principle and that the information is therefore exempt from disclosure (and properly withheld) under section 38(1)(b) of FOISA. In reaching this conclusion, she has not found it necessary to consider the second data protection principle, referred to in NHS Dumfries and Galloway's submissions in relation to requests 1 and 2.

DECISION

The Commissioner finds that NHS Dumfries and Galloway of Glasgow complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information requests made by Mr Kerr.

Appeal

Should either Mr Kerr or Dumfries and Galloway Health Board wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
18 February 2014

Appendix

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

...

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

Schedule 1 - The data protection principles

Part I - The principles

1 Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

...

6(1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.