Home Decisions

Decision 165/2019

Decision 165/2019: Names of recruitment panellists

Public authority: Fife Health Board
Case Ref: 201900373

Summary

NHS Fife was asked for the names of the members of a recruitment panel.

NHS Fife refused to provide the information on the basis it was personal data which, in the circumstances of the case, was exempt from disclosure.

The Commissioner investigated and found that the information was properly withheld.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and 2(2)(e)(ii) (Effect of exemptions); 38(1)(b), (2A), (5) (definitions of "the data protection principles", "data subject", "the GDPR", "personal data" and "processing") and (5A) (Personal information)

General Data Protection Regulation (the GDPR) articles 4(1) and (11) (definition of "personal data" and "consent") (Definitions); 5(1)(a) (Principles relating to processing of personal data); 6(1)(a) and (f) (Lawfulness of processing); 7(1) (Conditions for consent)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3)(a) and (4)(d) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 3 December 2018, the Applicant made a request for information to Fife Health Board (NHS Fife). The Applicant requested:

  • a copy of NHS Fife's consultant appointment procedure (request one)
  • details of the Board lead, HR advisor, Chair and membership of the Assessment panel, including the external assessor, for a recent appointment, together with the date of the interviews held (request two)
  • reasons for not shortlisting the Applicant (request three).

2. NHS Fife responded on 5 December 2018. NHS Fife provided the following response:

  • a copy of NHS Fife's Consultant appointment procedure (request one)
  • the general job titles of those on the appointment panel and the date on which the interviews were held (request two)
  • provision of the reasons for not shortlisting and confirmation that it was not normal practice to write to candidates who have not been shortlisted (request three).

3. On the same date, the Applicant wrote to NHS Fife confirming that she sought the names of the panellists. On 6 and 15 December 2018, the Applicant sought a review. The Applicant submitted to NHS Fife that the candidates interviewed were made aware of the panellists' names and therefore believed this to be a reasonable request.

4. NHS Fife notified the Applicant of the outcome of its review on 19 December 2019. NHS Fife explained that it would not provide confidential staff information or third party data in relation to an identifiable person; therefore the information was considered exempt in line with the protections of personal data set out in the DPA 2018.

5. On 2 March 2019, the Applicant wrote to the Commissioner. The Applicant applied to the Commissioner for a decision in terms of section 47(1) of FOISA. The Applicant stated she was dissatisfied with the outcome of NHS Fife's review because it had refused to provide information that would have been available to those called for interview.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

7. On 17 April 1019, NHS Fife was notified in writing that the Applicant had made a valid application and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. NHS Fife was invited to comment on this application and to answer specific questions. These related to the application of section 38 of FOISA, relevant Articles of the GDPR and the data protection principles.

9. NHS Fife responded to these questions and confirmed it was relying on section 38(1)(b) of FOISA to withhold the requested information.

Commissioner's analysis and findings

10. In coming to a decision on this matter, the Commissioner considered all of the relevant submissions, or parts of submissions, made to him by both the Applicant and NHS Fife. He is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) - Personal information

11. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR or (where relevant) in the DPA 2018.

12. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

13. To rely on this exemption, NHS Fife must show that the information withheld is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Article 5(1) of the GDPR.

14. The Applicant sought the names of the members of a recruitment panel for a Consultant appointment. NHS Fife submitted that disclosure would contravene the first data protection principle.

15. The Commissioner must decide whether NHS Fife was correct to withhold those names under section 38(1)(b) of FOISA.

Is the withheld information personal data?

16. The first question that the Commissioner must address is whether the withheld information is personal data for the purposes of section 3(2) of the DPA 2018 i.e. any information relating to an identified or identifiable individual. "Identifiable living individual" is defined in section 3(3) of the DPA 2018 - see Appendix 1. (This definition reflects the definition of personal data in Article 4(1) of the GDPR, also set out in in Appendix 1)

17. Information which could identify individuals will only be personal data if it relates to those individuals. Information will "relate to" a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them or has them as its main focus. It is clear that the information withheld in this case (names) "relates to" identifiable living individuals.

18. The Commissioner therefore concludes that the information withheld is personal data, for the purposes of section 3(2) of the DPA 2018.

Which of the data protection principles would be contravened by disclosure?

19. NHS Fife stated that disclosure of this personal data would contravene the first data protection principle (Article 5(1)(a)). Article 5(1)(a) states that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

20. In terms of section 3(4) of the DPA 2018, disclosure is a form of processing. In the case of FOISA, personal data is processed when it is disclosed in response to a request.

21. The Commissioner must consider if disclosure of the personal data would be lawful. In considering lawfulness, he must consider whether any of the conditions in Article 6 of the GDPR would allow the data to be disclosed. The Commissioner considers conditions (a) and (f) in Article 6(1) are the only conditions which could potentially apply in the circumstances of this case.

Condition (a): consent

22. Condition (a) states that the processing will be lawful if the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

23. "Consent" is defined in Article 4 of the GDPR as-

"… any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"

24. In terms of Article 7(1), the data controller (in this case, NHS Fife) must be able to demonstrate that the required consent exists.

25. NHS Fife stated that, at the time of responding to the request for submissions, it did not have the consent of all the members of the panel to release their information.

26. The Commissioner concludes that, as consent has not been freely given for the personal data to be disclosed, condition (a) does not allow for disclosure of the information.

Condition (f): legitimate interests

27. Condition (f) states that the processing will be lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data (in particular where the data subject is a child).

28. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

29. The tests which must be met before Article 6(1)(f) can be met are as follows:

(i) Does the Applicant have a legitimate interest in obtaining the personal data?

(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental right and freedoms of the data subjects?

Does the Applicant have a legitimate interest in obtaining the personal data?

30. NHS Fife submitted that it did not consider there to be a legitimate reason for disclosing the panel's personally identifiable information. It commented that its Recruitment and Selection Policy states that panel members' names will be disclosed to interview candidates as part of the invite to interview letter. This is the only time, other than attending an interview, when the panel's personal data in relation to their role in the recruitment process will be disclosed to applicants. Since the Applicant did not reach this stage of the selection process, it did not consider there to be a legitimate interest in disclosing the information.

31. The Applicant submitted that, in order to appeal the decision of NHS Fife not to shortlist her for the post, she required the panellists' names. By denying the names, the Applicant submitted that she had been denied the right of appeal, as stated in the Appointments policy.

32. In response, NHS Fife confirmed that the option to appeal an appointment decision is listed in section 12.2 of NHS Fife's Human Resources Directorate Procedure and is only available to candidates who were unsuccessful at interview.

33. The Applicant also argued that it was in the public interest that the information was disclosed to ensure that the appointments were open and transparent. The Commissioner accepts that disclosure of this information would create transparency and accountability in the recruitment process for the Applicant (and the wider public). Consequently, the Commissioner accepts that the Applicant has a legitimate interest in disclosure of the personal data.

Is disclosure of the personal data necessary?

34. Having accepted that the Applicant has a legitimate interest in the personal data, the Commissioner must consider whether disclosure of the personal data is necessary for the Applicant's legitimate interests. In doing so, he must consider whether these interests might reasonably be met by any alternative means.

35. The Commissioner has considered this carefully in the light of the decision by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 552. In this case, the Supreme Court stated (at paragraph 27):

"… A measure which interferes with a right protected by Community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less."

36. "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary. When considering whether disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the requester's legitimate interests can be met by means which interfere less with the privacy of the data subject.

37. The Commissioner accepts that disclosure of the personal data is necessary to achieve the Applicant's legitimate interests. The Applicant has already received some information which will take her some way towards satisfying her legitimate interest. However, the Commissioner can identify no viable means of meeting the Applicant's legitimate interests related to transparency in the recruitment process which would interfere less with the privacy of the data subjects than providing the withheld information. In all the circumstance, the Commissioner is satisfied that disclosure of the information is necessary for the purposes of the Applicant's legitimate interests.

The data subjects' interests or fundamental rights and freedoms

38. It is necessary to balance the legitimate interests in disclosure against the data subjects' interests or fundamental rights and freedoms. In doing so, it is necessary to consider the impact of disclosure. For example, if the data subjects would not reasonably expect that the information would be disclosed to the public under FOISA in response to the request, or if such disclosure would cause unjustified harm, their interests or rights are likely to override legitimate interests in disclosure. Only if the legitimate interests of the Applicant outweigh those of the data subjects can the information be disclosed without breaching the first data protection principle.

39. The Commissioner's guidance on section 38 of FOISA[1] notes factors that should be taken into account in balancing the interests of parties. He makes it clear that, in line with Recital (47) of the GDPR, much will depend on the reasonable expectations of the data subjects and that these are some of the factors public authorities should consider:

(i) Does the information relate to an individual's public life (their work as a public official or employee) or to their private life (their home, family, social life or finances)?

(ii) Would the disclosure cause harm or distress?

(iii) Whether the individual has objected to the disclosure.

40. Disclosure under FOISA is public disclosure; information disclosed under FOISA is effectively placed into the public domain.

41. The Commissioner acknowledges that the withheld information relates to the individuals' public life (as employees of NHS Fife) adding some weight toward disclosure.

42. The Commissioner has also considered the harm or distress that may be caused by disclosure. NHS Fife considered that the panel members would have no expectation that their identities would be made public as a result of taking part in a recruitment process: it informs staff that it will not share personal data unless it is legally obliged to do so in relation to their employment, professional life (e.g. accreditation or registration) and/or as part of fraud or criminal investigations.

43. NHS Fife explained that standard recruitment procedure is to supply the panel with anonymised applications to select a short list of candidates for interview. All personal identifiers are removed from the application paperwork, so that the panel only has access to the qualification, knowledge and experience of the applicants. It submitted that the shortlisting is required to be undertaken on the basis of fair and legal criteria and it is required to demonstrate that recruitment and selection decisions are free from any bias or discrimination. NHS Fife submitted that there is no expectation by employee that their identities in relation to the confidential recruitment process will be released to anyone other than applicants invited to interview.

44. After carefully balancing the legitimate interests of the panel members against those of the Applicant, the Commissioner finds that the legitimate interests served by disclosure of the remaining withheld personal data are outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the individuals in question (the panellists). The Commissioner notes that the legitimate interests of the Applicant are, to some extent, satisfied by the procedures that are in place and the information already provided. Condition (f) in Article 6(1) of the GDPR cannot, therefore, be met in relation to the withheld personal data.

45. In the absence of a condition in Article 6 of the GDPR allowing the personal data to be disclosed, the Commissioner has concluded that disclosing the information would be unlawful.

Fairness

46. Given that the Commissioner has concluded that the processing of the personal data would be unlawful, he is not required to go on to consider separately whether disclosure of such personal data would otherwise be fair and transparent in relation to the data subjects.

Conclusion on the data protection principles

47. For the reasons set out above, the Commissioner is satisfied that disclosure of the personal data would breach the data protection principle in Article 5(1)(a) of the GDPR. Consequently, he is satisfied that the personal data are exempt from disclosure under section 38(1)(b) of FOISA.

Decision

The Commissioner finds that Fife Health Board complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or NHS Fife wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
6 November 2019

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"the GDPR", "personal data", "processing" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4), (10), (11) and (14) of that Act);

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

General Data Protection Regulation

4 Definitions

For the purposes of this Regulation:

(1) 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(11) "consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

a. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Article 7 Conditions for consent

1 Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

(d) disclosure by transmission, dissemination or otherwise making available.

[1] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx