Home Decisions

Decision 138/2021

Decision 138/2021: Discharges from hospitals to care homes

Public authority: Public Health Scotland
Case Ref: 202100006

Summary

Public Health Scotland (PHS) was asked about discharges from hospitals to care homes. PHS originally withheld the information on the basis that disclosure would constitute a breach of confidence. However, during the investigation, it disclosed some of the information, and withheld the remaining information on the basis that it was personal data which, in this case, it considered to be exempt from disclosure.

Following an investigation, the Commissioner concluded that the remaining information was not personal data. He required PHS to disclose the information to the Applicant.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(c) and (e)(ii) (Effect of exemptions); 36(2) (Confidentiality); 38(1)(b), (2A)(a), (5) (definitions of "the data protection principles", "data subject", "personal data", "processing" and "the UK GDPR") and (5A) (Personal information)

United Kingdom General Data Protection Regulation (the UK GDPR) articles 5(1)(a) and (f) (Principles relating to processing of personal data)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10) and (14) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 28 October 2020, the Applicant made a request for information to Public Health Scotland (PHS). The Applicant referred to a document that had been published that day (Discharges from NHS Hospitals to Care Homes between 1 March and 31 May 2020: Validated register of hospital discharges to care homes methodology[1]) and requested a detailed breakdown of:

a) the 5,204 discharges from hospital to care homes between 1 March and 31 May 2020, to include the name of the care home and the number of patients discharged to each home;

b) where those who were, and were not, tested for COVID -19 between 1 March and 21 April 2020 were discharged to, to include the name of the care home and the number of patients discharged to each home;

c) where patients - who a) tested positive, and/or b) tested positive and had no subsequent negative tests before their discharge - were discharged to between 1 March and 31 May 2020, to include the name of the care home and the number of patients discharged to each home. The Applicant understood from the report data that the number of patients was at least 113.

In each case, where the numbers were less than five, the Applicant asked that they be marked "<5", to ensure anonymity of personal data.

2. PHS responded on 26 November 2020. It informed the Applicant that it was applying the exemption contained in section 36(2) of FOISA, stating that disclosure would constitute a breach of confidence.

3. On 26 November 2020, the Applicant wrote to PHS, requesting a review of its decision as he understood every health board and care home had a duty to report the information to PHS and there would be no expectation of confidentiality. He further commented that the public interest favoured disclosure.

4. PHS notified the Applicant of the outcome of its review on 16 December 2020. It upheld the application of section 36(2) of FOISA. It explained that, while there had been no promised confidentiality to care homes, it always had a duty of confidentiality to consider. In this case, it was concerned the information might be combined with other information and that this could lead to an actionable breach of confidence. It stated that disclosure would risk the interests, commercial or otherwise, of individual care homes and their operators, which in turn could impact on the business of PHS, if legal proceedings should result.

5. On 5 January 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of PHS's review because he disagreed with the application of section 36(2) of FOISA and believed the public interest favoured disclosure.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

7. On 22 January 2021, PHS was notified in writing that the Applicant had made a valid application. PHS was asked to send the Commissioner the information withheld from the Applicant. PHS provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. PHS was invited to comment on this application and to answer specific questions, focusing on the exemption claimed.

9. In its submissions to the Commissioner, PHS withdrew its reliance on section 36(2) of FOISA and provided submissions to the effect that it wished apply the following exemptions to withhold the information requested:

  • Section 26(c) (Prohibitions on disclosure)
  • Section 30(c) (Prejudice to effective conduct of public affairs)
  • Section 33(1)(b) (Commercial interests and the economy)

10. By way of background, PHS informed the Commissioner that, on 18 August 2020, the Cabinet Secretary for Health and Sport commissioned PHS to carry out work to identify and report on discharges from NHS Hospitals to care homes during the first wave of the COVID-19 Pandemic (covering the period March to May 2021). It advised that both the University of Edinburgh and the University of Glasgow were partners in production of the report published on 28 October 2020. This was the report the Applicant referred to in his request for information.

11. On 20 May 2021, PHS was invited to provide clarification as to whether its submissions related to all three parts of the Applicant's request or whether they differed for each part. It was also given the opportunity to provide supporting evidence, and clarity as to its application of section 26(c) of FOISA.

12. On 3 June 2021, PHS responded stating that, in the light of the Commissioner's decisions to require Social Care and Social Work Improvement Scotland (the Care Inspectorate) and the Registrar General of Births, Deaths and Marriages for Scotland (National Records of Scotland) to disclose the names of care homes where COVID -19 deaths occurred (Decisions 076/2021[2] and 079/2021[3]), PHS would disclose the requested information to the Applicant by 11 June 2021.

13. PHS also clarified that the submissions it had previously made to the Commissioner answered all three parts of the Applicant's request. PHS confirmed that, as part of the release, it would like to include some additional, up to date information and narrative for context. It explained that this was why the information could not be disclosed immediately.

14. PHS also asked the investigating officer to speak to the Applicant to ascertain whether he might wish to retract his application to the Commissioner.

15. On 8 June 2021, following further contact between the investigating officer and the Applicant, PHS were advised that, in the light of its offer to disclose the information, the Applicant would be willing to withdraw his application for a decision.

16. On 11 June 2021, the day by which PHS was due to disclose the information to the Applicant, PHS told the Commissioner that it had identified some information that may lead to individuals being identified and might not adhere to its disclosure control principles for small populations (such as care homes). It advised that it would be considering this information further before disclosure (which would now be by 16 June 2021), but would not wish to release information that would potentially identify individuals.

17. On 16 June 2021, PHS provided a further response to the Applicant. In this response, it advised the Applicant that, following discussions and submissions between PHS and the Commissioner, and in light of recent rulings by the Commissioner requiring the National Records of Scotland and the Care Inspectorate to disclose the names of care homes where COVID-19 deaths occurred, PHS was now making information available to him. It advised that "Disclosure Control Methods" had been applied to protect confidentiality. It did not explain it was withholding any figures that were less than nine.

18. On 16 June 2021, the Applicant acknowledged receipt of the information disclosed. He noted that the lowest number that had been provided was nine. He asked whether this was because PHS was anonymising anything lower than nine, pointing out that he had requested that only numbers lower than five be anonymised (to which PHS had not appeared to object). He confirmed his dissatisfaction with the information disclosed, and wished the Commissioner to come to a decision on his application.

19. On 17 June 2021, the Commissioner wrote to PHS and noted that PHS appeared to have anonymised figures below nine in the information disclosed. In the light of its earlier submissions of 3 June 2021, in which it had stated its intention to disclose the information requested by the Applicant (i.e. with figures less than five being anonymised using "<5"), PHS was asked if it would provide an updated disclosure meeting the terms of all three parts of the Applicant's request.

20. On 22 June 2021, PHS was advised that it had been given the opportunity to clarify its earlier submissions, and provide any further submissions, on 20 May 2021, as referred to above. If it was continuing to withhold any information, which it appeared to be doing under section 38(1)(b) of FOISA, it was asked to provide further submissions in support of its position, by 29 June 2021.

21. On 29 June 2021, PHS wrote to the Commissioner and provided submissions to the effect that it considered figures less than nine to be exempt in terms of section 38(1)(b) of FOISA, on the basis that the figures comprised personal data and disclosure would breach the data protection principles set out at Articles 5(1)(a) (lawfulness, fairness and transparency) and (f) (integrity and confidentiality) of the UK GDPR.

22. On 2 August 2021, following a discussion with the Commissioner on 28 July 2021, PHS provided further submissions as to why it considered section 38(1)(b) of FOISA applied to the information that remained withheld. These submissions focused largely on the risk of living individuals being identified, directly or indirectly, from the remaining withheld information.

23. In its submissions to the Commissioner, PHS confirmed that it no longer wished to rely upon the exemptions in sections 26(c), 30(c) or 33(1)(b) of FOISA, at it had claimed earlier in the investigation. Therefore, the Commissioner will consider whether PHS was initially entitled to rely on section 36(2) of FOISA in dealing with the Applicant's request, and whether it is entitled to rely upon section 38(1)(b) to withhold the remaining information.

Commissioner's analysis and findings

24. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and PHS. He is satisfied that no matter of relevance has been overlooked.

Section 36(2) - Confidentiality

25. Section 36(2) of FOISA provides that information is exempt from disclosure if:

  • it was obtained by a Scottish public authority from another person (the first test) and
  • its disclosure by the authority so obtaining it to the public (otherwise than under FOISA) would constitute a breach of confidence actionable by that person or any other person (the second test).

26. As mentioned above, during the investigation PHS withdrew its application of section 36(2) of FOISA, accepting that it did not apply. In the absence of submissions from PHS as to why the information was initially considered to be so exempt from disclosure, the Commissioner must conclude that the information in question was not properly withheld under section 36(2) of FOISA and, to that extent, was incorrectly withheld by PHS. In withholding the information under this exemption, PHS breached section 1(1) of FOISA.

27. The Commissioner will now consider whether PHS is entitled to withhold the remaining information under section 38(1)(b) of FOISA.

Section 38(1)(b) of FOISA - Personal information

28. As mentioned above, during the investigation, PHS disclosed some of the information it held to the Applicant, subject to the withholding of information where the figures were less than nine. It submitted that this information was exempt in terms of section 38(1)(b) of FOISA.

29. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR or (where relevant) in the DPA 2018.

30. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

31. To rely on this exemption, PHS must show that the information withheld is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles found in Article 5(1) of the GDPR.

Is the withheld information personal data?

32. The first question the Commissioner must address is whether the withheld information is personal data for the purposes of section 3(2) of the DPA 2018. Only where he accepts that it is personal data will he go on to consider whether (as PHS has claimed) it falls within any of the special categories of personal data defined in Article 9 of the GDPR: if the information is not personal data, it cannot be special category data.

33. "Personal data" is defined in section 3(2) of the DPA 2018 as "any information relating to an identified or identifiable living individual". Section 3(3) of the DPA 2018 defines "identifiable living individual" as a living individual who can be identified, directly or indirectly, in particular by reference to -

(i) an identifier such as a name, an identification number, location data, or an online identifier, or

(ii) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

34. In its submissions to the Commissioner, PHS explained that it had carried out a risk assessment in compliance with its own published Statistical Disclosure Control Protocol[4]. It submitted that the risk assessment had determined the following:

  • There were numerous counts of numbers from up to nine in the output
  • The population was classed as small (i.e. care homes)
  • An individual within the small counts could be identified using attribute and deductive disclosure using the information already released to the public by National Records of Scotland, the Care Inspectorate, and other readily available information, to link to the breakdowns as required by the Applicant using data science techniques and algorithms
  • Applying only the standard level of disclosure as required by the Applicant did not mitigate the huge disclosure risk
  • The output was classed as sensitive because it was about vulnerable small populations, most of whom might be subject to the Adult Support and Protection (Scotland) Act 2007
  • The period of time covering the data was short - 12 weeks

35. Following consideration of the risk assessment, PHS concluded that all small counts (i.e. less than nine) were deemed unsafe and required to be safeguarded in accordance with the UK GDPR. It submitted that disclosure would contravene the data protection principle in Article 5(1)(f), as disclosure would contravene the data subjects' right to privacy.

36. PHS further stated that disclosure would contravene the data protection principle in Article 5(1)(a), on the basis that processing would not be lawful, transparent and fair because the data subjects, or their legal advocates, would not have been informed that their data were being released in public and could result in them as individuals being identified through the various means identified. This, PHS claimed, would contravene their right to be informed and therefore result in unlawful and unfair processing.

37. In PHS's view, there remained a risk (which could not be ignored) that the privacy of individuals in some care homes might be compromised if it released analytical outputs to the public which did not comply with its published Statistical Disclosure Control Protocol (which it stated had been devised to help balance, or minimise, the risk of disclosure to an acceptable level, in line with legal requirements and good practice, while releasing as much information as possible).

38. PHS submitted that it knew that it was possible to apply specialist software and automation, using machine learning and artificial intelligence applications and practical applications of differential privacy. PHS submitted that a number of steps might be available to any motivated persons and unethical intruders, with the requisite skills and access to the information if it were to become public, which included:

  • interrogating publicly available datasets using automated software
  • interrogating, using specialist software, social media sites (e.g. Facebook, Twitter, TikTok and Instagram) of care homes to obtain relevant information
  • comparing names of care home residents with those on the National Registers of Scotland's register of deaths, to determine (using differencing techniques) which named individuals were alive during the said period but had since died
  • interrogating National Records for Scotland publicly available information on deaths and places of death during the period in question
  • bringing all the findings together within a data science platform to write codes, build a model and train the model for identifying individuals in care homes and quantifying the risks of the various intruder scenarios.

39. PHS submitted that it had received advice from its data protection officer that not adhering to its Statistical Disclosure Control Protocol or to the risk assessment would result in lesser safeguards to personal data and impinge on PHS's obligations under data protection law. It believed the likelihood of such techniques being used in a reconstruction attack to be high, although it did not (and did not appear to be able to) explain in detail how it had arrived at this conclusion on the question of likelihood.

40. The two main elements of personal data are that the information must "relate" to a living person; and that person must be identified - or identifiable - from the data, or from the data and other accessible information.

41. Information will "relate to" a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.

42. An individual is "identified" or "identifiable" if it is possible to distinguish them from other individuals. There might be a slight hypothetical possibility that someone might be able to reconstruct the data in such a way that identified the individual, but this is not necessarily sufficient to make the individual identifiable.

43. In the case of Breyer v Bundesrepublik Deutschland[5], the Court of Justice of the European Union looked at the question of identification. The Court took the view that the correct test to consider is whether there is a realistic prospect of someone being identified. When making that determination, account can be taken of the information in the hands of a third party. However, there must be a realistic casual chain - if the risk of identification is insignificant, the information will not be personal data.

44. Although this decision was made before the UK GDPR and the DPA 2018 came into force, the Commissioner considers that the same rules will apply. In accordance with Recital 26 of the GDPR (the source of the UK GDPR), the determination of whether a natural person is identifiable should take account of all means reasonably likely to be used to identify the person, directly or indirectly. In considering what is reasonably likely, the Recital states that all objective factors should be taken into account, such as the costs and amount of time required for identification, taking into consideration the available technology at the time of processing and technological developments.

45. The Commissioner has considered PHS's submissions, together with the information that remains withheld. He is not satisfied that he has been provided with sufficiently persuasive arguments to conclude that disclosure would lead to the identification of individuals.

46. PHS argued that disclosure of the withheld information could lead to the identification of individuals, as described above, due to the low numbers within care homes, when considered against other information, in particular the data disclosed by the National Records of Scotland and the Care Commission. The Commissioner notes that the information disclosed as a result of Decisions 076/2021 and 079/2021 relates to the number of deaths in care homes. If such a link could be made, and the Commissioner does not accept that this is the case, then such a link would not relate to a living individual, as required if the information is to be personal data in terms of section 3(2) of the DPA 2018. An exercise focused on identifying people who have died is not, by definition, an exercise in identifying living individuals.

47. The Commissioner acknowledges PHS's concerns regarding the searches that could be conducted by a motivated or unethical individual, in relation to information that might be available elsewhere within the public domain. The Commissioner acknowledges that a determined individual might be able to identify people who are in nursing homes, but the point is that the data under consideration has to be the catalyst, or make a contribution of some significance, to the identification of those living individuals.

48. As indicated above, Recital 26 of the GDPR envisages some form of objective assessment of the likelihood of identification, taking account of factors such as cost and the time required, in the light of the available technology as it is developing. PHS has devoted much attention to the techniques potentially available, but it has not articulated its analysis of the likelihood of any of these techniques being used to identify the individuals under consideration here, or the actual contribution the withheld information would make to such identification. These are questions on which the Commissioner needs be satisfied before concluding that the withheld information can be described as personal data. Simply following a disclosure protocol, without reference to the circumstances of the particular request, will not do, and neither will the argument (advanced by PHS) that it is not possible to devote resources to such analysis in the middle of responding to a pandemic. It goes without saying that the Commissioner has sympathy with the demands placed on a key health authority during the pandemic, but that sympathy cannot extend to applying exemptions with anything short of the required degree of rigour.

49. The Commissioner accepts that those who have been discharged from hospital, with or without either a positive or negative test, are likely to be aware of this, as are their relations, and perhaps close friends and care home staff. However, the Commissioner considers the likelihood of disclosure of the information withheld here making a material contribution to the identification of any living individuals, with any level of accuracy, to be extremely remote. He has not been provided with any evidence of analysis from PHS which would persuade him otherwise. In the circumstances, the Commissioner does not accept that there is a realistic causal chain that would lead to the identification of living individuals as claimed by PHS.

50. Therefore, the Commissioner does not agree that those individuals would be identified, or identifiable, as a consequence of disclosure of the withheld information, with the result that the information does not qualify as personal data, as defined in section 3(2) of the DPA.

51. As the Commissioner is not satisfied that the information that has been withheld, and as outlined in the Applicant's request (i.e. excluding numbers less than five, which may be identified as such), is personal data, he must find that PHS was not entitled to withhold the information under section 38(1)(b) of FOISA.

52. The Commissioner therefore requires PHS to provide the Applicant with all of the information it holds and which falls within the terms of the request.

Decision

The Commissioner finds that Public Health Scotland (PHS) failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant. The Commissioner finds that the information was incorrectly withheld under the exemptions claimed, with the result that PHS failed to comply with section 1(1) of FOISA.

The Commissioner therefore requires PHS to provide the information requested to the Applicant by 21 October 2021.

For avoidance of any doubt, this should be in the format provided to the Commissioner on 22 April 2021.

Appeal

Should either the Applicant or PHS wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If PHS fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that PHS has failed to comply. The Court has the right to inquire into the matter and may deal with PHS as if it had committed a contempt of court.

Daren Fitzhenry
Scottish Information Commissioner
6 September 2021

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(c) section 36(2);

(e) in subsection (1) of section 38-

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

36 Confidentiality

(2) Information is exempt information if-

(a) it was obtained by a Scottish public authority from another person (including another such authority); and

(b) its disclosure by the authority so obtaining it to the public (otherwise than under this Act) would constitute a breach of confidence actionable by that person or any other person.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"personal data" and "processing" have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);

"the UK GDPR" has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

UK General Data Protection Regulation

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality')."

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

(d) disclosure by transmission, dissemination or otherwise making available,

(5) "Data subject" means the identified or identifiable living individual to whom personal data relates.

(10) "The UK GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

(14) In Parts 5 to 7, except where otherwise provided -

(a) references to the UK GDPR are to the UK GDPR read with Part 2;

(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;

(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.