Decision 178/2012 | Scottish Information Commissioner

Home Decisions

Decision 178/2012

Decision 178/2012 Mrs Teresa McNally and Forth Valley Health Board

Non-executive director's remuneration

Reference No: 201200921
Decision Date: 1 November 2012

Summary

Mrs McNally asked Forth Valley Health Board (NHS Forth Valley) for information about one of its non-executive directors.NHS Forth Valley responded by providing some information, but withheld other information on the basis that it was personal data, the disclosure of which would breach one of the data protection principles.

Following an investigation, the Commissioner found that NHS Forth Valley was entitled to withhold the information on this basis.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definitions of "the data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions) (definition of "personal data"); Schedules 1 (The data protection principles, Part 1: the principles) (the first data protection principle) and 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (condition 6)

The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision.The Appendix forms part of this decision.

Background

1.On 18 February 2012, Mrs McNally wrote to NHS Forth Valley.Commenting on her understanding of a determination by HM Revenue and Customs (HMRC) relating to the remuneration of one of the Board's non-executive directors, she requested the following information:

whether the non-executive director had repaid certain sums to the Health Board (request 1)

the identity of the non-executive director (request 2)

whether the individual in question was still a Board member (request 3).

2.NHS Forth Valley responded on 20 March 2012, advising Mrs McNally that "the individual has paid the amount due and there are no monies outstanding."In response to requests 2 and 3, NHS Forth Valley withheld the information under section 38(1)(b) of FOISA.

3.On 26 March 2012, Mrs McNally wrote to NHS Forth Valley requesting a review of its decision. Mrs McNally was satisfied with the response to request 1, but not with those to requests 2 and 3.Noting that the position of non-executive director was by public appointment, and referring to the Nolan Principles of public office, she suggested that in terms of transparency and accountability the information should be made available in the public interest.

4.NHS Forth Valley notified Mrs McNally of the outcome of its review on 24 April 2012.It upheld its decision to withhold the information under section 38(1)(b) of FOISA.NHS Forth Valley explained that it had followed new guidance [in respect of PAYE] and fully disclosed this in its annual accounts for 2010/11, which were subject to external audit and publicly available.

5.On 7 May 2012, Mrs McNally wrote to the Commissioner, stating that she was dissatisfied with the outcome of NHS Forth Valley's review and applying to the Commissioner for a decision in terms of section 47(1) of FOISA.

6.The application was validated by establishing that Mrs McNally had made requests for information to a Scottish public authority and had applied to the Commissioner for a decision only after asking the authority to review its responses to those requests.The case was then allocated to an investigating officer.

Investigation

7.The investigating officer subsequently contacted NHS Forth Valley, giving it an opportunity to provide comments on the application (as required by section 49(3)(a) of FOISA) and asking it to respond to specific questions.In particular, NHS Forth Valley was asked (with particular reference to the requirements of section 38(1)(b)) to justify its reliance on any provisions of FOISA it considered applicable to the information requested.

8.The relevant submissions received from both NHS Forth Valley and Mrs McNally will be considered fully in the Commissioner's analysis and findings below.

Commissioner's analysis and findings

9.In coming to a decision on this matter, the Commissioner has considered all the submissions made to her by both Mrs McNally and NHS Forth Valley and is satisfied that no matter of relevance has been overlooked.

Consideration of section 38(1)(b)

10.Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or (2)(b) (as appropriate), exempts personal data if its disclosure to a member of the public otherwise than under FOISA would contravene any of the data protection principles.

11.NHS Forth Valley withheld information in terms of section 38(1)(b), on the basis that it was the personal data of an individual, disclosure of which would breach the first data protection principle. In considering the application of this exemption, the Commissioner will consider first whether the information in question is personal data as defined in section 1(1) of the DPA and then, if it is, whether its disclosure would breach the first data protection principle.

Is the information under consideration personal data?

12.The definition of "personal data" is set out in the Appendix.

13.The Commisisoner is satisfied that the Board member's identity falls within the definition of personal data, as a living individual can be identified from the information, which is biographical in relation to that individual and focuses on them. The Commissioner is therefore satisfied that that information relates to the individual.

14.Mrs McNally also asked whether the person is still a Board member.The Commissioner is satisfied that this is information held by NHS Forth Valley.It does not necessarily follow, however, that it would be the personal data of the individual in question.

15.While a person who knows the identity of the individual will be able to ascertain whether that individual is still a Board member, this does not mean that a person who knows whether or not the individual is still a Board member will necessarily (from that information) be able to identify the individual.This point was put to NHS Forth Valley.

16.NHS Forth Valley explained that, as there were only six non-executive Board members, and their terms of appointment and dates of joining and leaving the Board were in the public domain, and only a minority were office holders, it believed the answer to request 3 would provide a ready means of identification of the individual in question.

17.Guidance entitled "Determining what is personal data[1]" which has been issued by the Information Commissioner (who is responsible for enforcing the DPA throughout the UK) states that, in considering whether a person can be identified, it should be assumed that the relevant means of identification are not just those reasonably likely to be used by the ordinary man in the street, but also the means which are likely to be used by a determined person with a particular reason to want to identify the individual.In this case, NHS Forth Valley believed a reasonably determined person would be able to identify the individual from the small number of persons concerned and could make the connection from all the information available in the public domain.

18.The Commissioner accepts NHS Forth Valley's submission that a living individual can be identified from the information in request 3, given the relatively small number of individuals involved (non-executive Board members) and the relevant information available in the public domain.Given the nature of the information, the Commissioner is also satisfied that it relates to the individual.

19.The Commissioner is therefore satisfied that the information held by NHS Forth Valley which could answer requests 2 and 3 is properly considered personal data, the individual to whom the data relate being identifiable from those data (in the case of request 2) and from those data and other information (in the case of request 3).The Commissioner will now go on to consider whether disclosure of the information would breach the first data protection principle.

The first data protection principle

20.The first data protection principle states that personal data shall be processed fairly and lawfully.It also states that personal data shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 of the DPA is also met.

21.NHS Forth Valley took the view that the information was not sensitive personal data as defined by section 2 of the DPA. The Commissioner agrees, and therefore has not found it necessary to consider whether any of the conditions in Schedule 3 could be met.

22.When considering the conditions in Schedule 2, the Commissioner has noted Lord Hope's comment in the case of Common Services Agency v Scottish Information Commissioner [2008] UKHL 47^{^[2]} that the conditions require careful treatment in the context of a request for information under FOISA, given that they were not designed to facilitate the release of information, but rather to protect personal data from being processed in a way that might prejudice the rights, freedoms or legitimate interests of the data subject.

23.The Commissioner considers that only condition 6 in Schedule 2 to the DPA might be considered to apply in this case. Condition 6 allows personal data to be processed (in this case, disclosed in response to Mrs McNally's information request) if that processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

24.There are, therefore, a number of tests which must be met before condition 6(1) can apply. These are:

Does Mrs McNally have a legitimate interest in obtaining these personal data?

If so, is the disclosure necessary to achieve those legitimate aims? In other words, is disclosure proportionate as a means and fairly balanced as to ends, or could these legitimate aims be achieved by means which interfere less with the privacy of the data subject (i.e. the individual to whom the data relate)?

Even if disclosure is necessary for the legitimate purposes of the applicant, would disclosure nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subject?

25.As noted by Lord Hope, there is no presumption in favour of the release of personal data under the general obligation laid down in FOISA. Accordingly, the legitimate interests of Mrs McNally must outweigh the rights, freedoms or legitimate interests of the data subject before condition 6 will permit the personal data to be disclosed. If the two are evenly balanced, the Commissioner must find that NHS Forth Valley was correct to refuse to disclose the personal data to Mrs McNally.

Does Mrs McNally have a legitimate interest?

26.There is no definition within the DPA of what constitutes a "legitimate interest", but the Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive. In published guidance^{^[3]} on section 38 of FOISA, the Commissioner states:

In some cases, the legitimate interest might be personal to the applicant ? e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety.

27.Mrs McNally's requests referred to the Nolan principles, and she submitted that her legitimate interest should be taken to be that of an interested person seeking information to demonstrate accountability, openness and transparency of a public authority.

28.The Commissioner accepts that Mrs McNally, as an individual, has a legitimate interest in the withheld personal data. The Commissioner also considers that there is a general interest in ensuring that public authorities are transparent and accountable in relation to financial matters, and that this extends to understanding issues relating to remuneration.

Is disclosure of the information necessary to achieve these legitimate interests?

29.The Commissioner must now consider whether disclosure of the withheld personal data is necessary for the legitimate interests identified above, and in doing so she must consider whether these interests might reasonably be met by any alternative means.

30.NHS Forth Valley submitted that Mrs McNally was satisfied with the answer to the first request and therefore it believed that her legitimate interest had been answered and that its response was commensurate with the Nolan Principles: that is, it had demonstrated that there had been accountability, openness and transparency.This, NHS Forth Valley submitted, had been demonstrated through the annual accounts, confirming that all relevant sums had been fully accounted for.

31.The Commissioner acknowledges that disclosure of the withheld personal data would allow a degree of additional scrutiny in relation to this matter, which could not be achieved by any alternative means.To that extent, the Commissioner accepts that disclosure is necessary for the purposes of Mrs McNally's legitimate interests.In all the circumstances of this case, the Commissioner can identify no viable means of meeting Mrs McNally's legitimate interests which would interfere less with the privacy of the data subject than the provision of the withheld personal data.In the circumstances, therefore, she is satisfied that disclosure of these personal data is necessary to meet the legitimate interests in question.

Would disclosure cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects?

32.NHS Forth Valley's submissions to the Commissioner strongly argued that disclosure would cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subject. Similarly, Mrs McNally put forward her submission why the personal data should be disclosed.

33.The Commissioner has considered these submissions and has taken into account the guidance on this point in her briefing on the section 38 exemption (referred to above), which identifies relevant factors as including:

whether the information relates to the individual's public or private life

the potential harm or distress that may be caused by disclosure

whether the individual has objected to disclosure

the reasonable expectations of the individual as to whether their information would be disclosed.

34.NHS Forth Valley submitted that the tax returns of the data subject should be considered private and, while an individual's remuneration in public office will be a matter of public record, organisation of an individual's tax and national insurance contribution would be a private matter.

35.The Commissioner considers that, although there are no absolute rules in this regard, where information relates to an individual's private life (i.e. their home, family, social life or finances), it will generally deserve more protection than information about them acting in an official or work capacity (i.e. their public life).

36.The Commissioner recognises that where payments or income are made by a public authority to an employee, information about those payments relate both to that person's private and public life.One the one hand, individuals paid from the public purse should expect some information about their remuneration to be made public.On the other hand, at a certain level, such information will relate to personal financial circumstances and will therefore merit a degree of protection.

37.In this instance, the identity of the person could be connected with the information in the public domain, for example, Audit Scotland's Report NHS Forth Valley - Annual Report to Forth Valley Health Board and the Auditor General for Scotland - 2010/11.^{^[4]} This would give an indication of the individual's tax and national insurance contribution, generally a private matter.

38.In terms of potential harm or distress that might be caused by disclosure, NHS Forth Valley submitted that there would be harm to reputation as a result of misinterpretation: that is, although it did not consider there to have been any wrongdoing by the individual (NHS Forth Valley produced evidence which it believed substantiated this position), disclosure of their identity might still result in reputational damage to that person.

39.Mrs McNally, however, remained of the opinion that wrongdoing had occurred and commented that the other non-executive directors must at present be undergoing harm in that they were suspected of being the person at issue.

40.While any such damage could be lessened by explanations provided by the authority, the Commissioner accepts that damage as a result of a misinterpretation is nonetheless damage to the individual's reputation. NHS Forth Valley also pointed out that the individual had objected to disclosure, and the Commissioner has taken this into account.

41.The Commissioner has balanced the legitimate interests of the data subject against those identified by Mrs McNally.In considering the former, she is looking at the effects of disclosure on the individual in question.It is not for the Commissioner (as opposed to HMRC) to determine whether there has been wrongdoing in this case, on the part of either the data subject or NHS Forth Valley: all she will say on that point is that (from the evidence she has seen) she does not believe this to be a consideration which enhances the legitimate interest in disclosure in this particular case.

42.The Commissioner accepts that the information pertains more to the individual's personal rather than public life and that there is the potential for some reputational harm to be caused to them by disclosure.The Commissioner is also of the view that disclosure would not, in this instance, improve transparency or accountability in the way in which Mrs McNally has submitted.

43.On balance, the Commissioner does not accept that the legitimate interests served by disclosure in this case outweigh the prejudice that disclosure would cause to the data subject's rights, freedoms and legitimate interests.Consequently, she considers that such prejudice would be unwarranted in this case.The Commissioner therefore concludes that condition 6 in Schedule 2 to the DPA cannot be met.

44.Having accepted that disclosure of the withheld personal data would lead to unwarranted prejudice to the rights and freedoms or legitimate interests of the data subject as described above, the Commissioner must also conclude that disclosure would be unfair.As no condition in Schedule 2 to the DPA can be met, she must also find disclosure to be unlawful. In all the circumstances, therefore, the Commissioner's conclusion is that the first data protection principle would be breached by disclosure of the information in the withheld personal data and that this information was properly withheld under section 38(1)(b) of FOISA.

DECISION

The Commissioner finds that Forth Valley Health Board complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information requests made by Mrs McNally.

Appeal

Should either Mrs McNally or Forth Valley Health Board wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only.Any such appeal must be made within 42 days after the date of intimation of this decision notice.

Margaret Keyse
Head of Enforcement
1 November 2012

Appendix

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that ?

(a)the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption ?

(e) in subsection (1) of section 38 ?

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1 Basic interpretative provisions

(1)In this Act, unless the context otherwise requires ?

"personal data" means data which relate to a living individual who can be identified ?

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

Schedule 1 ? The data protection principles

Part I ? The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless ?

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 2 ? Conditions relevant for purposes of the first principle: processing of any personal data

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

[1] http://www.ico.gov.uk/~/media/documents/library/Data_Protection/Detailed_specialist_guides/PERSONAL_DATA_FLOWCHART_V1_WITH_PREFACE001.ashx

[2] http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080709/comm-1.htm

[3] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx

[4] http://www.audit-scotland.gov.uk/docs/health/2011/fa_1011_nhs_forth_valley.pdf