Decision 059/2017: Mr X and Tayside Health Board Complaint information Reference No: 201602304 Decision Date: 2 May 2017 Summary NHS Tayside was asked for information in respect of complaints or allegations about a named consultant. NHS Tayside withheld the information on the basis that disclosure would breach the DPA. The Commissioner investigated and accepted that NHS Tayside was entitled to withhold the information.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i) and (5) (definitions of "the data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions) (definition of "personal data"); Schedules 1 (The data protection principles, Part I: the principles) (the first data protection principle) and 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (conditions 1 and 6)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

All references in this decision to "the Commissioner" are to Margaret Keyse, who has been appointed by the Scottish Parliamentary Corporate Body to discharge the functions of the Commissioner under section 42(8) of FOISA.

Background

1. On 26 October 2016, Mr X made a request for information to Tayside Health Board (NHS Tayside). He requested information about a named consultant that showed whether there had been any accusations or complaints made against that consultant by members of the public or any NHS Tayside employee. He asked also for information about any actions imposed on the consultant.

2. NHS Tayside responded on 21 November 2016. It explained that disclosure under FOISA means putting information into the public domain. It withheld information under section 38(1)(b) of FOISA (Personal information), believing that disclosure would breach the data protection principles in the DPA. NHS Tayside advised Mr X that he could request his own personal data under the DPA.

3. On 22 November 2016, Mr X wrote to NHS Tayside requesting a review of its decision on the basis that he believed there was a public interest in the disclosure of the information. Mr X referred to his concerns about the risks the consultant posed to NHS Tayside staff and patients (including himself), in terms of bullying, harassment and breach of dignity, and the public interest in preventing physical, psychological or emotional injury.

4. NHS Tayside notified Mr X of the outcome of its review on 9 December 2016. It upheld its original response without modification.

5. On 19 December 2016, Mr X applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr X was dissatisfied with the outcome of NHS Tayside's review because he believed disclosure of the information was necessary in the public interest, to protect people at risk of bullying behaviour from the named consultant. Mr X believed that NHS Tayside had previously disclosed information that would fall into the category of personal information, such as concerns for practice issues.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that Mr X made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to her for a decision.

7. On 6 February 2017, NHS Tayside was notified in writing that Mr X had made a valid application. NHS Tayside was asked to send the Commissioner the information withheld from Mr X. NHS Tayside provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. NHS Tayside was invited to comment on this application and answer specific questions including justifying its reliance on any provisions of FOISA it considered applicable to the information requested.

Commissioner's analysis and findings

9. In coming to a decision on this matter, the Commissioner considered all the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr X and NHS Tayside. She is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) - Personal Information

10. NHS Tayside confirmed that the information it wished to withhold was information that it considered to be personal data, exempt from disclosure in terms of section 38(1)((b) of FOISA, read in conjunction with section 38(2)(a)(i).

11. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or (2)(b) (as appropriate), exempts personal data if its disclosure to a member of the public, otherwise than under FOISA, would contravene any of the data protection principles.

12. In considering the application of this exemption, the Commissioner will first consider whether the information in question is personal data as defined in section 1(1) of the DPA. If it is, she will go on to consider whether disclosure of the information would breach the first data protection principle, as claimed. This particular exemption is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

Is the information under consideration personal data?

13. "Personal data" are defined in section 1(1) of the DPA as "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller" (the full definition is set out in Appendix 1).

14. Mr X asked for information about a named individual. The withheld information therefore relates to that named person. The Commissioner is satisfied that any information captured by Mr X's request must, by definition, be the personal data of the named consultant.

15. The withheld information also contains the personal data of third parties who have been involved in the complaint process.

The first data protection principle

16. NHS Tayside argued that disclosure of the withheld information would contravene the first data protection principle.

17. The first data protection principle states that personal data shall be processed fairly and lawfully. The processing in this case would be disclosure of the information into the public domain in response to Mr X's request. The first principle also states that personal data shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met.

Can any of the conditions in Schedule 2 be met?

18. When considering the conditions in Schedule 2, the Commissioner has noted Lord Hope's comment in the case of Common Services Agency v Scottish Information Commissioner [2008] UKHL 47[1], that the conditions required careful treatment in the context of a request for information under FOISA, given that they were not designed to facilitate the release of information, but rather to protect personal data from being processed in a way that might prejudice the rights, freedoms or legitimate interest of the data subject (i.e. the person or persons to whom the data relate).

19. The first Schedule 2 condition which might be considered relevant in this case is condition 1. Condition 1 applies when the data subject has consented to the release of the information. The Commissioner understands that no consent has been given by the consultant or any of the other data subjects. The Commissioner accepts that condition 1 in Schedule 2 cannot be met.

20. The Commissioner's view is that condition 6 in Schedule 2 is the only one which might permit disclosure to Mr X. Condition 6 allows personal data to be processed if the processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subjects.

21. There are a number of different tests which must be satisfied before condition 6 can be met. These are:

(i) Does Mr X have a legitimate interest or interests in obtaining the personal data?

(ii) If so, is the disclosure necessary to achieve those legitimate interests? In other words, is the processing proportionate as a means and fairly balanced as to ends, or could these interests be achieved by means which interfere less with the privacy of the data subjects?

(iii) Even if the processing is necessary for Mr X's legitimate interests, would the disclosure nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects?

22. There is no presumption in favour of disclosure of personal data under the general obligation laid down by section 1(1) of FOISA. Accordingly, the legitimate interests of Mr X must outweigh the rights and freedoms or legitimate interests of the data subjects before condition 6 will permit disclosure. If the two are evenly balanced, the Commissioner must find that the NHS Tayside would be able to refuse to disclose the information to Mr X.

Does Mr X have a legitimate interest in obtaining the personal data?

23. There is no definition within the DPA of what constitutes a "legitimate interest", but the Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive. The Commissioner's published guidance[2] on section 38 states:

"In some cases, the legitimate interest might be personal to the applicant - e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety."

24. NHS Tayside disputed that Mr X had a legitimate interest in the requested information, apart from his own personal data which he could access under the DPA. (Section 7(1) of the DPA gives data subjects the right of be given their personal data. However, this right is not absolute)

25. Given that Mr X had already initiated a complaint about the consultant, the Commissioner accepts that he has a legitimate interest in information which would show whether his experience was shared by others, and that his legitimate interest extends to all such information and not simply his own personal data.

26. The Commissioner acknowledges that, as a member of the public, Mr X also has a legitimate interest in obtaining information which would allow scrutiny of the standard of conduct of a member of NHS Tayside's staff, and in understanding how NHS Tayside has addressed any complaints about the conduct of its staff.

27. In all the circumstances, the Commissioner accepts that Mr X is pursuing a legitimate interest in seeking the withheld information.

Is disclosure of the information necessary for the purposes of these legitimate interests?

28. The Commissioner must now consider whether disclosure of the personal data is necessary for Mr X's legitimate interests. In doing so, she must consider whether these interests might reasonably be met by any alternative means.

29. Mr X did not elaborate on why it was necessary for him to obtain the information, beyond stating that disclosure of the information was in the public interest.

30. The Commissioner has considered the submissions from both parties carefully and in the light of the decision by the Supreme Court in the case of South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55[3]. In this case the Supreme Court stated (at paragraph 27 of the judgment):

"… A measure which interferes with a right protected by Community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less."

31. The Commissioner notes that NHS Tayside assisted Mr X by explaining his rights under the DPA to obtain his personal data and his rights under its complaints procedure if he has concerns about the way his complaint against the named consultant was considered. NHS Tayside referred Mr X to its complaint and grievance procedures - that is, it alerted Mr X to other ways in which he could ask for his concerns to be addressed.

32. However, these alternatives would not provide Mr X with the withheld information or fully meet his legitimate interests, as identified above. The Commissioner can identify no other viable means of meeting Mr X's legitimate interests which would interfere less with the privacy of the consultant and other data subjects than providing the information requested by Mr X. For this reason, she is satisfied that disclosure of the information is necessary for the purposes of Mr X's legitimate interests.

33. As the Commissioner is satisfied that disclosure of the withheld personal data is necessary to fulfil Mr X's legitimate interests, she must now consider whether disclosure would nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects. As noted above, this involves a balancing exercise between the legitimate interests of Mr X and those of the data subjects. Only if the legitimate interests of Mr X outweigh those of the data subjects can the information be disclosed without breaching the first data protection principle.

Would disclosure be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subjects?

34. The Commissioner must now consider whether the processing is unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subjects. This test involves a balancing exercise between the legitimate interests of Mr X and those of the consultant or any third party. Only if the legitimate interests of Mr X outweigh those of the data subjects can the information be made available without breaching the first data protection principle.

35. In the Commissioner's guidance[4] on section 38 of FOISA, she notes a number of factors which should be taken into account in carrying out the balancing exercise. These include:

(i) whether the information relates to the individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances)

(ii) the potential harm or distress that may be caused by the disclosure

(iii) whether the individual objected to the disclosure

(iv) the reasonable expectations of the individuals as to whether the information should be disclosed.

36. NHS Tayside was of the view that none of the data subjects would reasonably expect their personal data to be disclosed into the public domain (which is the effect of disclosure under FOISA). Its complaint process and grievance policy create an expectation of privacy. The withheld information relates to the consultant's public life (professional conduct). Although there is generally a greater expectation of disclosure for information relating to an individual's public life than their private life, the Commissioner agrees with NHS Tayside that, given the context in which the information was recorded, the consultant would not reasonably have expected their personal data to be made public. On the contrary, they would have a reasonable expectation that any complaint or allegations against them would be treated with a level of confidentiality appropriate to the relevant stage of the complaints or grievance process, in order to ensure fair treatment within that process. This is particularly important in situations where a complaint, if upheld, is likely to result in disciplinary action or professional sanction.

37. Having considered the competing interests of Mr X and the data subjects, the Commissioner must balance them. She finds that Mr X's legitimate interests are outweighed by the prejudice to the rights and freedoms of the parties whose personal data would result from disclosure. On balance, therefore, she must find that the requirements of condition 6 cannot be met here.

38. Given this conclusion, the Commissioner finds that there is no condition in Schedule 2 which would permit disclosure of the information. In the absence of a condition permitting disclosure, that disclosure would be unlawful. Consequently the Commissioner finds that disclosure of the information would breach the first data protection principle and that the information is therefore exempt from disclosure (and properly withheld) under section 38(1)(b) of FOISA.

Decision The Commissioner finds that NHS Tayside complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr X.

Appeal

Should either Mr X or NHS Tayside wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Acting Scottish Information Commissioner

2 May 2017

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

…

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

….

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

…

(e) in subsection (1) of section 38 -

…

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

…

38 Personal information

(1) Information is exempt information if it constitutes-

…

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

…

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

…

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

…

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

…

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

…

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

…

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

1. The data subject has given his consent to the processing.

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

---