Home Decisions

Decision 105/2020

Decision 105/2020: Job Evaluation Panel Membership

Public authority: Ayrshire and Arran Health Board
Case Ref: 201901261

Summary

NHS Ayrshire and Arran was asked for the names of people on a job evaluation panel. It refused to disclose the information on the basis it was personal data which, in this case, was exempt from disclosure. The Commissioner agreed the information was exempt from disclosure.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2A), (5) (definitions of "the data protection principles", "data subject", "the GDPR", "personal data" and "processing") and (5A) (Personal information)

General Data Protection Regulation (the GDPR) articles 4(1) (definition of "personal data") (Definitions); 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3)(a) and (4)(d) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 22 February 2019, the Applicant made a request for information to Ayrshire and Arran Health Board (NHS Ayrshire and Arran). He requested the names of the individuals who sat on his job evaluation panel meeting of 6 February 2019.

2. NHS Ayrshire and Arran responded on 22 March 2019. It advised the Applicant that there were three management and three staff side panel members, but withheld their names under section 30(c)(Prejudice to effective conduct of public affairs) and section 38(1)(b) (Personal information) of FOISA.

3. On 2 April 2019, the Applicant wrote to NHS Ayrshire and Arran requesting a review of its decision. He argued that he had a legitimate interest in the information and that the panel had no guarantee of confidentiality.

4. NHS Ayrshire and Arran notified the Applicant of the outcome of its review on 26 April 2019. It upheld its original decision (including its reliance on section 38(1)(b)), but told the Applicant it also wished to apply the exemptions in section 30(b).

5. On 24 July 2019, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant was dissatisfied with the outcome of NHS Ayrshire and Arran's review because he believed he needed the information to lodge a grievance.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

7. On 9 August 2019, NHS Ayrshire and Arran was notified in writing that the Applicant had made a valid application. NHS Ayrshire and Arran was asked to send the Commissioner the information withheld from the Applicant. NHS Ayrshire and Arran provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. NHS Ayrshire and Arran was invited to comment on this application and to answer specific questions. These related to the application of sections 30(b) and (c) and section 38(1)(b) of FOISA.

9. NHS Ayrshire and Arran responded to these questions and confirmed that, in line with the original response and the fact that it had confirmed the response at review stage, it was continuing to rely on section 38(1)(b) of FOISA to withhold the requested information.

Commissioner's analysis and findings

10. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and NHS Ayrshire and Arran He is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) - Personal information

11. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR or (where relevant) in the DPA 2018.

12. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

13. To rely on this exemption, NHS Ayrshire and Arran must show that the information is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles in Article 5(1) of the GDPR.

Is the withheld information personal data?

14. The first question the Commissioner must address is whether the withheld information is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable individual. "Identifiable living individual" is defined in section 3(3) of the DPA 2018 - see Appendix 1. (This definition reflects the definition of personal data in Article 4(1) of the GDPR, also set out in Appendix 1.)

15. Information which could identify individuals will only be personal data if it relates to those individuals. Information will "relate to" a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them or has them as its main focus.

16. The Applicant sought the names of the job evaluation panel on the day his own evaluation was carried out. It is clear that the information withheld in this case (names), combined with the individuals' membership of this panel, "relates to" identifiable living individuals.

17. The Commissioner therefore concludes that the information withheld is personal data for the purposes of section 3(2) of the DPA 2018.

Which of the data protection principles would be contravened by disclosure?

18. NHS Ayrshire and Arran stated that disclosure of this personal data would contravene the first data protection principle (Article 5(1)(a)). Article 5(1)(a) states that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (here, the panel members).

19. In terms of section 3(4) of the DPA 2018, disclosure is a form of processing. In the case of FOISA, personal data is processed when it is disclosed in response to a request.

20. The Commissioner must consider if disclosure of the personal data would be lawful. In considering lawfulness, he must consider whether any of the conditions in Article 6 of the GDPR would allow the data to be disclosed. The Commissioner considers that the only condition in Article 6(1) which could potentially apply is condition (f). This states that processing shall be lawful if it is "necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child".

21. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

22. The tests which must be met before Article 6(1)(f) can be met are as follows:

(i) Does the Applicant have a legitimate interest in obtaining the personal data?

(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the panel members?

Does the Applicant have a legitimate interest in obtaining the personal data?

23. The Applicant submitted that he required the names of those on the panel in order to be able to submit a grievance - and for the grievance to be successful. He considered that public bodies need to demonstrate that decisions are reached fairly and transparently and that staff have a right to submit grievances and have them considered if they believe the public body has failed to adhere to agreed procedures. He considered that transparency is necessary in ensuring impartiality by preventing individuals who have had prior involvement or knowledge of the job evaluation submissions to participate in more than one stage of the process.

24. The Applicant explained that job evaluation required two representatives (management and staff) in the area under review to be available to provide additional information if required and in the past this has involved inviting these representatives to attend the panel. Therefore, in his view, there cannot be a claim for anonymity as those people would see the panel. He did not consider there to be a risk to bias as his information request was made after the job evaluation decision had been made.

25. NHS Ayrshire and Arran submitted that the Applicant's legitimate interest in making a grievance about the composition of the panel was satisfied in providing him with the composition in response to the original request. NHS Ayrshire and Arran commented that it had advised the Applicant at review what to do should he have concerns about the constitutions of the panel leading to bias.

26. The Commissioner, although recognising that the Applicant's legitimate interest in pursuing a grievance has been satisfied, accepts that disclosure of the names of the panel members would create a wider transparency and accountability in the job evaluation process for the Applicant (and the wider public). Consequently, the Commissioner accepts that the Applicant has a legitimate interest in the disclosure of the personal data.

Is disclosure of the personal data necessary?

27. Having accepted that the Applicant has a legitimate interest in the personal data, the Commissioner must consider whether disclosure of the personal data is necessary for the Applicant's legitimate interests. In doing so, he must consider whether these interests might reasonably be met by any alternative means.

28. The Commissioner has considered this carefully in the light of the decision by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 552. In this case, the Supreme Court stated (at paragraph 27):

…A measure which interferes with a right protected by Community law must be the least restrictive for the achievement of the legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less.

29. "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary. When considering whether disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the requester's legitimate interests can be met by means which interfere less with the privacy of the data subjects.

30. NHS Ayrshire and Arran agreed, during the investigation, to provide the Applicant with the relevant unique code numbers assigned to the panel members. Having been provided with the individuals' code numbers, the Applicant remained dissatisfied. The Commissioner can identify no other viable means of meeting the Applicant's legitimate interests related to transparency in the job evaluation process which would interfere less with the privacy of the panel members than providing the withheld information. In all the circumstances, the Commissioner is satisfied that disclosure of the information is necessary for the purposes of the Applicant's legitimate interests.

Balancing the legitimate interests and the panel members' interests or fundamental rights and freedoms

31. Having found that disclosure is necessary for the purposes of the Applicant's legitimate interests, the Commissioner must now balance the legitimate interests in disclosure against the panel members' interests or fundamental rights and freedoms.

32. The Commissioner's guidance on section 38 of FOISA[1] lists certain factors that should be taken into account in balancing the interests of the parties. He makes it clear that, in line with Recital (47) of the GDPR, much will depend on the reasonable expectations of the data subjects and that these are some of the factors public authorities should consider:

(i) Does the information relate to an individual's public life (their work as a public official or employee) or to their private life (their home, family, social life or finances)?

(ii) Would the disclosure cause harm or distress?

(iii) Whether the individual has objected to the disclosure.

33. Disclosure under FOISA is public disclosure; information disclosed under FOISA is effectively placed into the public domain.

34. The Commissioner acknowledges that the withheld information relates to the individuals' public life (as employees of NHS Ayrshire and Arran), adding some weight toward disclosure.

35. NHS Ayrshire and Arran told the Commissioner that the panel members would have no expectation that their identities would be made public as a result of taking part in a job evaluation panel: there is an agreement between management and the trade unions, which is in accordance with national guidance, that panel members' names would not be shared. Panel members who volunteered to carry out the work in addition to their substantive posts were promised anonymity.

36. Where there has been a concern that the same panel members sat on the initial panel and the appeal panel, the code numbers of panel members have been shared. This practice was agreed between management and the trade unions. All panel members are provided with the Job Evaluation Handbook as part of their training, which states that panel members' names will not normally be disclosed. The handbook at 8.2 states:

The law is not straightforward in relation to disclosing panel members' names and a jobholder is entitled to request this information under the Freedom of Information Act. However, it can be argued that the names constitute personal data and consent would need to be sought from the individual panel members as to whether they would object to disclosure of their names to the jobholder. If panel members did object, there could be a defence under the Data Protection Act that, on balance, it is in the public interest not to disclose the names.

Given the local agreement and the national guidance, it is clear that panel members have a reasonable expectation that their names will not be disclosed to colleagues or to the public.

37. After carefully balancing the legitimate interests of the Applicant against the interests or fundamental rights or freedoms of the data subjects, the Commissioner finds that the legitimate interests served by disclosure of the withheld personal data are outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the individuals in question (the job evaluation panel). The Commissioner notes that the legitimate interests of the Applicant are, to some extent, satisfied by the appeal procedures that are in place (which do not require him to know the names of the panel members) and by the information already disclosed to him. Condition (f) in Article 6(1) of the GDPR cannot, therefore, be met in relation to the withheld personal data.

38. In the absence of a condition in Article 6 of the GDPR allowing personal data to be disclosed, the Commissioner has concluded that disclosing the information would be unlawful.

Fairness

39. Given that the Commissioner has concluded that the processing of the personal data would be unlawful, he is not required to go on to consider separately whether disclosure of such personal data would otherwise be fair and transparent in relation to the data subjects.

Conclusion on the data protection principles

40. For the reasons set out above, the Commissioner is satisfied that disclosure of the personal data would breach the data protection principle in Article 5(1)(a) of the GDPR. Consequently, he is satisfied that the personal data are exempt from disclosure under section 38(1)(b) of FOISA.

Conclusion

41. As the Commissioner is satisfied that the information sought is personal data exempt under section 38(1)(b) of FOISA, he does not consider it necessary in the circumstances of the case, to consider the additional exemptions relied upon by NHS Ayrshire and Arran.

Decision

The Commissioner finds that Ayrshire and Arran Health Board complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or Ayrshire and Arran Health Board wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement

17 September 2020

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"the GDPR", "personal data", "processing" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4), (10), (11) and (14) of that Act);

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

General Data Protection Regulation

4 Definitions

For the purposes of this Regulation:

(1) 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

(d) disclosure by transmission, dissemination or otherwise making available.

[1] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx