Home Decisions

Decision 167/2020

Decision 167/2020: Settlement value of neurosurgery claims

Public authority: Tayside Health Board
Case Ref: 202000961

Summary

NHS Tayside was asked for the total aggregated financial value of settlements relating to neurosurgery claims for incidents that occurred during the years 2014 to 2020.

NHS Tayside refused to confirm or deny that it held the information, stating that - if it existed and was held - it would be exempt from disclosure and that it was not in the public interest to reveal whether the information existed.

The Commissioner found that NHS Tayside was not entitled to refuse to reveal whether the information existed or was held. He required NHS Tayside to issue a new response.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 18(1) (Further provisions as respects responses to request); 38(1)(b), (2A)(a), (5) (definitions of "the data protection principles", "data subject", "the GDPR", "personal data" and "processing") and (5A) (Personal information)

General Data Protection Regulation (the GDPR) articles 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing); 9(1) and (2)(a) and (e) (Processing of special categories of personal data)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5) and (10) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 28 May 2020, the Applicant made a request for information to NHS Tayside. The information requested was:

(i) How much did NHS Tayside spend with the Central Legal Office per annum in the years 2010 to 2020?

(ii) How much did NHS Tayside spend with the Central Legal Office per annum defending neurosurgery claims/cases in the years 2010 to 2020?

(iii) Can you provide the aggregated total settlement value/financial figure for settled neurosurgery claims for incidents that occurred in the calendar years 2014 to 2020?

2. On 29 June 2020, the Applicant wrote to NHS Tayside, pointing out that the 20 working day response period had lapsed and asking it to respond as soon as possible. In response, NHS Tayside apologised for the late reply and asked the Applicant if he wished to receive the information for part (i) of the request at that stage. The Applicant confirmed he would wait for a full response.

3. NHS Tayside responded on 30 July 2020. For part (i) of the request it provided the information in full: it informed the Applicant that it did not hold the information requested for part (ii).

4. For part (iii) of the request, which is the subject of this decision, NHS Tayside responded in terms of section 18(1) of FOISA, in conjunction with section 38(1)(b) (Personal information). It refused to confirm nor deny that it held the information requested, or if it existed, stating that to do so would be contrary to the public interest. NHS Tayside stated that, if the information did exist and was held, it would be exempt under section 38(1)(b) of FOISA.

5. On 30 July 2020, the Applicant wrote to NHS Tayside, requesting a review of its decision to neither confirm nor deny whether it held the information for part (iii) of the request. The Applicant stated that he knew NHS Tayside held the information as it had previously disclosed an aggregated total settlement value for settled neurosurgery claims, albeit not for the period requested here. He argued that it would be impossible to identify anyone from the data.

6. NHS Tayside notified the Applicant of the outcome of its review on 21 August 2020. It fully upheld its original decision.

7. On 21 August 2020, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of NHS Tayside's review because he knew NHS Tayside held the information and, in his view, it would be impossible to identify anyone from it.

Investigation

8. The application was accepted as valid. The Commissioner confirmed that the Applicant had made a request for information to a Scottish public authority and had asked the authority to review its response to that request before applying to him for a decision.

9. On 4 September 2020, NHS Tayside was notified in writing that the Applicant had made a valid application and the case was subsequently allocated to an investigating officer.

10. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. NHS Tayside was invited to comment on this application and to answer specific questions. These focused on NHS Tayside's justification for neither confirming nor denying it held the information for part (iii) of the request.

11. The Applicant was also invited to comment on the public interest in NHS Tayside revealing whether the information existed.

Commissioner's analysis and findings

12. In coming to a decision on this matter, the Commissioner has considered all of the relevant submissions, or parts of submissions, made to him by both the Applicant and NHS Tayside. He is satisfied that no matter of relevance has been overlooked.

Section 18 - "neither confirm nor deny"

13. Section 18 of FOISA allows Scottish public authorities to refuse to reveal whether they hold information (or whether it exists) in the following limited circumstances:

(i) a request has been made to the authority for information which may or may not be held by it;

(ii) if the information were held by the authority (and it need not be), the authority could give a refusal notice under section 16(1) of FOISA, on the basis that the information was exempt information by virtue of any of the exemptions in sections 28 to 35, 38, 39(1) or 41 of FOISA; and

(iii) the authority considers that to reveal whether the information exists or is held would be contrary to the public interest.

14. In this case, in both its initial response and review response to part (iii) of the request, NHS Tayside stated that if it did hold any information falling within the scope of this part of the request, it could be withheld under the exemption in section 38(1)(b) (Personal information) of FOISA.

15. The Commissioner will first of all consider whether NHS Tayside would be entitled to rely on the exemption contained in section 38(1)(b) of FOISA.

16. The Commissioner must ensure that this decision does not confirm one way or the other whether the information requested actually exists or is held by the authority. This means that he is unable to comment in any detail on the authority's reliance on section 38(1)(b), or on other matters which could have the effect of indicating whether the information exists or is held.

Section 38(1)(b) - Personal information

17. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR or (where relevant) in the DPA 2018.

18. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

Would the information, if held, be personal data?

19. The Applicant sought the aggregated total settlement value/financial figure for settled neurosurgery claims for incidents that occurred in the calendar years 2014 to 2020. The Commissioner must firstly address whether this information requested, if it existed and were held, would be personal data for the purposes of section 3(2) of the DPA 2018.

20. "Personal data" is defined in section 3(2) as any information relating to an identified or identifiable living individual. "Identifiable living individual" is defined in section 3(3) of the DPA 2018 - see Appendix 1. (This definition reflects the definition of personal data in Article 4(1) of the GDPR.) Information which could identify individuals will only be personal data if it relates to those individuals. Information will "relate to" a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them or has them as its main focus.

21. The Applicant argued that it would be impossible to identify anyone from the information.

22. The Commissioner is satisfied that, if it were held and if it existed, any information captured by this request would, as it related to neurosurgery claim(s) made as a result of an adverse event(s), "relate to" individuals. He is also satisfied that, in the light of the submissions from NHS Tayside, that it would relate to identified or identifiable individual(s). He therefore accepts that the information, if held, would be personal data for the purposes of section 3(2) of the DPA 2018.

Would the information, if held, be special category personal data?

23. Article 9(1) of the GDPR lists the categories of personal data which fall within the special categories of personal data (see Appendix 1). This includes data which concern the health of an individual(s).

24. In its submissions to the Commissioner, NHS Tayside argued that, if the information were held and if it existed, it would comprise special category personal data, i.e. data concerning health. This was on the basis that, if held, the information would relate to an adverse event(s) that occurred during the medical treatment of an individual(s).

25. The Commissioner accepts that any settlement figure(s) held would intrinsically be linked to any neurosurgery claim(s) made as a result of an adverse event(s) occurring during medical treatment. The Commissioner is therefore satisfied that, if it existed and were held, the information would fall within the special category of personal data concerning health, listed in Article 9(1) of the GDPR.

26. The Commissioner will now go on to consider whether disclosure would contravene one of the data protection principles in Article 5 of the GDPR.

Would disclosure contravene one or more of the data protection principles?

27. NHS Tayside argued that disclosing the personal data, if they existed and were held, would breach the first data protection principle. This requires personal data to be processed lawfully, fairly and in a transparent manner in relation to the data subject(s) (Article 5(1)(a) of the GDPR).

28. The definition of "processing" is wide and includes (section 3(4)(d) of the DPA 2018), "disclosure by transmission, dissemination or otherwise making available". In the case of FOISA, personal data are processed when disclosed in response to an information request. This means that the personal data could only be disclosed if disclosure would be both lawful and fair.

29. The Commissioner must now consider whether disclosure of the personal data, if they existed and were held, would be lawful and fair (Article 5(1)(a)).

Lawfulness

30. The Commissioner has accepted that the information, if it existed and were held, would be special category data for the purposes of Article 9(1) of the GDPR. Special category personal data are afforded more protection by the GDPR. To be lawful, their processing must meet one of the conditions in Article 9(2) of the GDPR.

31. The Commissioner's guidance on section 38 of FOISA[1] notes that Article 9 of the GDPR only allows special category personal data to be processed in very limited circumstances. The Commissioner considers that the only situations where it is likely to be lawful to disclose special category personal data in response to an information request under FOISA are where one of the conditions in Articles 9(2)(a) or (e) apply.

Article 9(2)(a): Explicit consent

32. Article 9(2)(a) allows special category personal data to be processed where the data subject(s) has/have given explicit consent to the disclosure of the information. Consent must have been freely given, specific, informed and unambiguous (Article 4(11) of the GDPR) and on the understanding that the personal data will be placed into the public domain.

33. NHS Tayside submitted that, if the information existed and were held, the nature and terms of any such settlements would be confidential between the parties involved.

34. The Commissioner has concluded that, if the information existed and were held, it would not be reasonable or appropriate to seek consent from the data subject(s) for disclosure of the personal data, and that condition 2(a) could not be met in this case.

Article 9(2)(e): Manifestly made public

35. Article 9(2)(e) allows special category personal data to be processed where the personal data have manifestly been made public by the data subject(s).

36. Neither NHS Tayside nor the Applicant has suggested that the personal data, if they existed and were held, would have been manifestly made public by the data subject(s).

37. The Commissioner is satisfied that the information, if held and in existence, would not have been made public as a result of steps deliberately taken by the data subject(s), and so condition 2(e) could not be met in this case. It is not information of a kind it would be reasonable to expect would be made public in such a manner.

38. In the circumstances, the Commissioner must conclude that, in the absence of a condition in the GDPR allowing the special category personal data (if they existed and were held) to be processed, that disclosure would be unlawful.

Fairness

39. Given that the Commissioner has concluded that the processing of the personal data, if they were held and existed, would be unlawful, he is not required to go on to consider whether any such disclosure would otherwise be fair or transparent in relation to the data subject(s).

Conclusion on the data protection principles

40. For the reasons set out above, the Commissioner is satisfied that the disclosure of any personal data, if held, would breach the data protection principle in Article 5(1)(a) of the GDPR. Consequently, he is satisfied that such personal data, if they existed and were held, would be exempt from disclosure under section 38(1)(b) of FOISA and that NHS Tayside could give a refusal notice under section 16(1) of FOISA, on the basis that the information would be exempt information by virtue of section 38(1)(b) of FOISA.

Section 18(1) - The public interest

41. The Commissioner must now consider whether NHS Tayside was entitled to conclude that it would be contrary to the public interest to reveal whether the information existed or was held.

42. NHS Tayside believed it was not in the public interest to reveal whether the information existed or was held. It submitted that it had balanced the public interest in knowing whether there had been any settled neurosurgery claims, against any potential risk to the privacy of the data subject(s). NHS Tayside considered that the balance of public interest fell in favour of the protecting the interests or fundamental rights and freedoms of the data subject(s), as set out in Article 6(1)(f) of the GDPR (see Appendix 1), which outweighed those of the public to access the information, if held.

43. The Applicant believed the public interest lay in organisations complying with the principles of procedural fairness and natural justice, acting reasonably and ensuring accountability and transparency.

44. The Commissioner has carefully considered the arguments presented by both parties. The test he must consider is whether (having already concluded that the information, if it existed and were held, would be exempt from disclosure) revealing whether the information exists or is held would be contrary to the public interest.

45. Disclosure under FOISA is not simply disclosure to the person requesting the information, but rather is a public disclosure. In this case, the Commissioner is satisfied that disclosing the information, if it were held and existed, would breach the first data protection principle.

46. The Commissioner notes that NHS Tayside responded to a previous, similar information request under FOISA, confirming that it held information of this nature. NHS Tayside has published its response on its website[2]. It is clear that, when responding to this previous request, NHS Tayside did not consider it would be contrary to the public interest to confirm that information existed at that time. The Commissioner can see no valid reason for NHS Tayside's change of position now, in relation to a request for similar information.

47. The Applicant is already aware of the aggregated value of settled neurosurgery claims for the period 2012 to 2017, as disclosed by NHS Tayside in response to the request referred to above. Confirming whether any similar information was, or was not, held for the years 2014 to 2020 would not, in the Commissioner's view, given the overlap of the two time periods, reveal anything of substance, but only whether NHS Tayside did or did not hold the information.

48. The Commissioner does not accept that confirming or denying the information's existence (or whether it was held) would compromise the privacy of the data subject(s), or cause them unjustifiable harm or distress (were the information held), in the manner described by NHS Tayside. In the Commissioner's view, NHS Tayside's arguments for applying section 18 focus more on the disclosure of the content of any relevant information (if it existed and were held), as opposed to confirmation or otherwise of its existence and whether or not it is held.

49. On balance, the Commissioner is not satisfied, in this case, that it would be contrary to the public interest for NHS Tayside to reveal whether the information requested in part (iii) of the request exists or is held by it.

50. Consequently, the Commissioner concludes that NHS Tayside was not entitled to refuse to confirm or deny, in line with section 18(1) of FOISA, whether it held the information requested in part (iii) of the request, or whether that information existed.

51. The Commissioner requires NHS Tayside to issue a revised review outcome for part (iii) of the request, otherwise than in terms of section 18(1) of FOISA. He requires NHS Tayside to confirm to the Applicant whether the information requested in part (iii) existed and was held by it when it received the request, and to issue a fresh review outcome in terms of section 21(4)(b) of FOISA.

Decision

The Commissioner finds that NHS Tayside failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.

He finds that NHS Tayside was not entitled to refuse to confirm or deny, in line with section 18(1) of FOISA, whether it held information for part (iii) of the request, or whether that information existed.

The Commissioner therefore requires NHS Tayside to reveal to the Applicant whether the information he requested existed and was held by it when it received his request, and to provide him with a fresh review outcome in terms of section 21(4)(b) of FOISA, by 1 February 2021.

Appeal

Should either the Applicant or NHS Tayside wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If NHS Tayside fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that NHS Tayside has failed to comply. The Court has the right to inquire into the matter and may deal with NHS Tayside as if it had committed a contempt of court.

Margaret Keyse
Head of Enforcement
17 December 2020

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

18 Further provision as respects responses to request

(1) Where, if information existed and was held by a Scottish public authority, the authority could give a refusal notice under section 16(1) on the basis that the information was exempt information by virtue of any of sections 28 to 35, 38, 39(1) or 41 but the authority considers that to reveal whether the information exists or is so held would be contrary to the public interest, it may (whether or not the information does exist and is held by it) give the applicant a refusal notice by virtue of this section.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"the GDPR", "personal data", "processing" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4), (10), (11) and (14) of that Act);

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

General Data Protection Regulation

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

 

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

 

Article 9 Processing of special categories of personal data

1 Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

2 Paragraph 1 shall not apply if one of the following applies:

a. the data subject has given explicit consent to the processing of those personal data for one or more specific purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject.

e. processing relates to personal data which are manifestly made public by the data subject.

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

(d) disclosure by transmission, dissemination or otherwise making available.

(5) "Data subject", means the identified or identifiable living individual to whom the personal data relates.

(10) "The GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).