Home Decisions

Decision 193/2016

Decision 193/2016: Mr X and Lothian Health Board

Interview of member of staff

Reference No: 201601016
Decision Date: 25 July 2017

Summary

NHS Lothian was asked for information relating to an interview of a member of staff.

NHS Lothian refused to provide the information, which it considered to be personal data, disclosure of which would breach the data protection principles.

The Commissioner investigated and found that NHS Lothian had partially failed to respond to the request in accordance with Part 1 of FOISA. While NHS Lothian was entitled to withhold some personal data, it had incorrectly withheld other personal data (and information which was capable of being anonymised), and had failed to give notice of the applicant's right of appeal to the Court of Session.

The Commissioner required NHS Lothian to disclose the personal data it had withheld incorrectly.

This decision replaces Decision 193/2016 issued by the Commissioner on 14 September 2016.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of Exemptions); 21(10) (Review by Scottish public authority); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definition of "the data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) section 1(1) (Basic interpretative provisions) (definition of "personal data"); Schedule 1 (The data protection principles, Part I - The principles (the first and sixth data protection principles) and Part II - Interpretation of the principles in Part I (the sixth principle)); Schedule 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (conditions 1 and 6)

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, recital 26 (data rendered anonymous) and article 2 (Definitions) (definition of 'the data subject's consent')

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

All references in this decision to "the Commissioner" are to Margaret Keyse, who has been appointed by the Scottish Parliamentary Corporate Body to discharge the functions of the Commissioner under section 42(8) of FOISA.

Background

1. On 12 February 2016, Mr X made a request for information to NHS Lothian. The request was for all and any information, not amounting to personal data of which he was the subject, held in relation to his treatment on a specified occasion, and the formal interview of any NHS member of staff concerning his request to NHS personnel to contact a family member.

2. NHS Lothian responded on 3 March 2016. It informed Mr X that any information held concerning the interview would be exempt from disclosure under section 38 of FOISA. NHS Lothian considered disclosure would breach the data protection principles as it would not have the consent of the member of staff to disclosure.

3. On 9 March 2016, Mr X wrote to NHS Lothian, requiring a review of its decision as he believed NHS Lothian had failed to explain why the exemption in section 38(1)(b) of FOISA applied in the circumstances. He was dissatisfied that NHS Lothian had failed to consider the legitimate purpose being pursued by the request, or to explain why it would not have the member of staff's consent, and had not considered or explained why any interference with the privacy of the member of staff would be unwarranted in the particular circumstances of the request.

4. NHS Lothian notified Mr X of the outcome of its review on 13 March 2016, upholding its original decision without modification. It explained that section 38 was an absolute exemption, which provided for the exemption of any information meeting the criteria in that section. It confirmed that, in its view, any information held about the management of an individual member of staff would be exempt from disclosure.

5. On 24 May 2016, Mr X wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. Mr X stated he was dissatisfied with the outcome of NHS Lothian's review because, in relation to any third party personal data withheld under section 38(1)(b), he believed NHS Lothian had failed to carry out the balancing exercise required by statute. He was further dissatisfied that, in its review outcome, NHS Lothian had failed to give notice, in terms of section 21(10) of FOISA, of the right to appeal to the Court of Session (on a point of law) against a decision of the Commissioner.

6. The Commissioner subsequently issued a decision on 14 September 2016, finding a breach of section 21(10) of FOISA, but also finding that the third party personal data was exempt from disclosure under section 38(1)(b) of FOISA.

7. Mr X appealed the decision to the Court of Session under section 56(b)(i) of FOISA. He argued that the Commissioner had failed to give proper and adequate reasons for her decision on the application of section 38(1)(b) of FOISA.

8. The Commissioner considered Mr X's grounds of appeal and agreed that the reasoning given in the decision was not adequate. She therefore conceded the appeal and, on 9 December 2016, the Court of Session reduced the Commissioner's decision and remitted Mr X's application to her for reconsideration to allow her to retake her decision and to provide adequate and proper reasons for her decision.

Investigation

9. After the Court of Session reduced the Commissioner's decision, the Commissioner undertook further investigation. She sought additional comments from NHS Lothian. Further submissions were also sought, and obtained, from Mr X.

10. During the second investigation, NHS Lothian informed the investigating officer that it was willing to provide Mr X with an anonymised summary of the meeting record. NHS Lothian provided this information to Mr X on 28 April 2017.

11. Having considered the summary disclosed to him, Mr X informed the investigating officer that he still required a decision by the Commissioner. Mr X argued that NHS Lothian was not entitled to withhold the information at the time it responded to his request, that it continued to withhold some information to which he believed he was entitled, and that it failed to provide proper notice of review and appeal mechanisms.

Commissioner's analysis and findings

12. In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr X and NHS Lothian. She is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) of FOISA - Personal information

13. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) (or, as appropriate, section 38(2)(b)) exempts information from disclosure if it is "personal data", as defined in section 1(1) of the DPA, and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA.

14. In order to rely on this exemption, NHS Lothian must show, firstly, that any such information would be personal data for the purposes of the DPA and, secondly, that disclosure of those data would contravene one or more of the data protection principles to be found in Schedule 1.

15. This exemption is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

Is the withheld information personal data?

16. "Personal data" are defined in section 1(1) of the DPA as "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller" (the full definition is set out in Appendix 1).

17. NHS Lothian explained that the withheld information was contained in a meeting record concerning the conduct of a member of staff during the attendance and treatment of a patient (Mr X). The meeting in question had taken place following receipt of a letter from Mr X in relation to actions while he was being treated by NHS Lothian. The meeting note formed part of the staff member's personnel file and contained references to a patient (Mr X).

18. NHS Lothian took the view that the information was specific to those individuals and fell within the exemption in section 38(1)(b) of FOISA.

19. NHS Lothian confirmed that it did not consider any of the information to be sensitive personal data.

20. The Commissioner has considered the submissions received from NHS Lothian on this point, along with the withheld information. In line with these submissions, she is satisfied that the information in its entirety comprises the personal data of the member of staff. The information contains a record of the staff member's actions relating to a specific matter, created as a result of an internal interview with that individual. In addition, the information comprises, in part, the personal data of the interviewer and the patient (Mr X). Clearly, it is possible to identify these (living) individuals from it. It is about these individuals and so can be said to relate to them. It is therefore those individuals' personal data, as defined by section 1(1) of the DPA.

21. From recital 26 of Directive 95/46/EC (from which the DPA is derived), however, it is clear that data are not protected by the legislation where they are rendered anonymous in such a way that the data subject is no longer identifiable. Where this has been achieved, the data will, in effect, cease to be personal data for the purposes of the DPA and the requirements of the DPA will no longer apply.

22. As indicated above, NHS Lothian disclosed a summary of the meeting record during the investigation. The Commissioner is satisfied that one outcome of creating this summary was that any personal data in the original record were rendered anonymous: the data subjects who could be identified in the original record were no longer identifiable in the summary. In other words, the summary contains no personal data. As NHS Lothian has not sought to withhold the information in the summary under any exemption other than section 38(1)(b), and as it has provided no reasons why this information could not have been disclosed in response to Mr X's information request or his requirement for review, the Commissioner finds that in failing to disclose this information NHS Lothian failed to comply with section 1(1) of FOISA.

23. As the information in the summary has been disclosed to Mr X, the Commissioner does not require NHS Lothian to take any action in respect of this failure, in response to Mr X's application. She has considered the content of the summary carefully and is satisfied that it includes everything of any substance from the original note of the meeting, with the exception of the identities of the individuals referred to in the note. It is clear from Mr X's request and subsequent correspondence that he is not seeking his own personal data as part of the request: these do not, therefore, fall to be considered here. What remains to be considered is whether the personal data of the interviewee and the interviewer (for these purposes, their identities) could have been disclosed without contravening the data protection principles.

Would disclosure contravene the first or sixth data protection principle?

24. In its submissions to the Commissioner, NHS Lothian submitted that, were the information to be disclosed under FOISA, the sixth data protection principle would be breached. The sixth data protection principle requires that personal data shall be processed in accordance with the rights of the data subjects under the DPA. The sixth principle is only breached, however, by failure to comply with certain specific provisions of the DPA, none of which relate directly to acts which could result directly from disclosure in response to this particular information request. NHS Lothian did not provide detailed reasons for claiming a breach of this principle and, on the basis of the submissions received, the Commissioner cannot accept that it would be breached by disclosure of the requested information in this particular case.

25. NHS Lothian took the view that a breach of the sixth data protection principle would render disclosure unlawful, which would in turn breach the first data protection principle. Subsequent submissions, however, went on to provide additional reasons why NHS Lothian considered disclosure would breach the first principle. These will be considered further below.

26. The first data protection principle requires that data are processed fairly and lawfully. The processing in this case would be the disclosure of the information into the public domain, in response to Mr X's request.

27. The first data protection principle also states that personal data shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met. In the case of sensitive personal data, as defined by section 2 of the DPA, at least one of the conditions in Schedule 3 to the DPA must also be met. The Commissioner is satisfied that the personal data in question are not sensitive personal data for the purposes of section 2, so it is not necessary here to consider the conditions in Schedule 3.

28. The Commissioner will now consider whether there are any conditions in Schedule 2 to the DPA which would permit the withheld personal data to be disclosed. If any of these conditions can be met, she must then consider whether disclosure of the information would be fair and lawful.

29. There are three separate aspects to the first data protection principle: (i) fairness, (ii) lawfulness and (iii) the conditions in the schedules. These three aspects are interlinked. For example, if there is a specific condition in Schedule 2 which permits the personal data to be disclosed, it is likely that disclosure will also be fair and lawful.

Can any of the conditions in Schedule 2 be met?

Condition 1 in Schedule 2 to the DPA

30. Condition 1 in Schedule 2 to the DPA allows personal data to be processed if the data subject has given his (or her) consent to the processing.

31. Taking account of the definition of "the data subject's consent" in article 2 of Directive 95/46/EC, the Commissioner's view is that any consent meeting the requirements of condition 1 must be

(i) fully informed,

(ii) freely given,

(iii) specific to the circumstances and

(iv) a clear indication of the data subject's wishes.

In this regard, NHS Lothian was asked to clarify the interviewee's understanding with regard to consenting to disclosure of their personal data.

32. NHS Lothian confirmed that, in giving consent at the time, the interviewee was aware (and content) that the information would be disclosed to the public, in response to Mr X's request. This was confirmed with the interviewee during the second investigation. NHS Lothian also submitted, however, that such consent could only extend to those elements of the withheld report which comprised the personal data of the interviewee alone - it could not cover the personal data of others.

33. The Commissioner accepts that the interviewee's consent could not extend to disclosing the personal data of any other individuals contained in the meeting record. Subject to that proviso, however, she is satisfied that the consent met the requirements set out in paragraph 31 above. In other words, she accepts that condition 1 in Schedule 2 to the DPA could be met in relation to disclosure of that individual's personal data, where those personal data could be separated from the personal data of others. She can identify no other reason why such disclosure would be unfair or unlawful and therefore must conclude that NHS Lothian was not entitled to withhold this information under section 38(1)(b) of FOISA. In doing so, NHS Lothian failed to comply with section 1(1) of FOISA.

34. The Commissioner must, therefore, require NHS Lothian to disclose the identity of the interviewee to Mr X.

35. Following disclosure of the summary meeting record, Mr X acknowledged that the staff member's consent could not extend to the personal data of others. He reaffirmed that he was not seeking his own personal data. He noted that the personal data of the interviewer remained to be considered, and that this individual's consent to disclosure did not appear to have been sought.

36. With regard to the interviewer's identity, NHS Lothian confirmed that it had not sought the permission of the interviewer to disclose their personal data. The Commissioner accepts that there is no obligation on public authorities to seek the data subject's consent to disclosure of their personal data under FOISA. In the absence of such consent in relation to the interviewer, she must accept that condition 1 in Schedule 2 cannot, in this case, be relied upon to permit the disclosure of that individual's personal data under FOISA.

37. The Commissioner will now consider whether any other conditions in Schedule 2 would permit the interviewer's identity to be disclosed.

Condition 6 in Schedule 2 to the DPA

38. In the circumstances, it appears to the Commissioner that condition 6 in Schedule 2 is the only other one which might permit disclosure of the interviewer's personal data to Mr X. In any event, neither NHS Lothian nor Mr X has argued that any other condition would be relevant.

39. Condition 6 allows personal data to be processed if that processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject (the individual to whom the data relate).

40. There are, therefore, a number of tests which must be met before condition 6 can apply. These are:

(i) Does Mr X have a legitimate interest in obtaining the personal data?

(ii) If so, is the disclosure necessary to achieve those legitimate interests? In other words, is the processing proportionate as a means and fairly balanced as to ends, or could these legitimate interests be achieved by means which interfere less with the privacy of the data subject?

(iii) Even if the processing is necessary for Mr X's legitimate interests, would it nevertheless be unwarranted, in this case, by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?

41. There is no presumption in favour of disclosure of personal data under the general obligation laid down by section 1(1) of FOISA. The legitimate interests of Mr X must outweigh the rights and freedoms or legitimate interests of the data subject before condition 6 will permit the personal data to be disclosed. If the two are evenly balanced, the Commissioner must find that NHS Lothian was correct to refuse to disclose the personal data to Mr X.

Does Mr X have a legitimate interest in obtaining the personal data?

42. In his application to the Commissioner, Mr X was concerned that NHS Lothian had initiated a formal procedure against a member of staff who may have acted contrary to the authority's policy. Believing the member of staff to have acted on a legitimate interest, Mr X was concerned this individual might have been victimised as a result. Mr X stated that he wished to have the information, as it might assist in informing a complaint he was pursuing against a separate public authority.

43. NHS Lothian acknowledged that it had not asked Mr X if he had a legitimate interest. Whilst it acknowledged that he might be interested in the information, it did not consider this to be the same thing as having a legitimate interest in obtaining the information. In the circumstances, it could not ascertain what legitimate interest would be fulfilled by disclosure of the information.

44. In his submissions to the Commissioner, Mr X expanded on what he considered to be his legitimate interest in the information.

45. Mr X explained that he had sent a letter of appreciation to NHS Lothian following the care he had received at one of its hospitals. In response, NHS Lothian informed him that it had initiated a formal meeting with the staff member in relation to matters concerning the contacting of his relatives, as outlined in his letter. Mr X argued that NHS Lothian's decision to initiate a response in these terms clearly implied that he had a legitimate interest in the information.

46. Mr X further explained that he had been pursuing a complaint against another public authority regarding the contacting of his relatives while he was in hospital. As the information requested in this case directly related to this matter, Mr X believed this evidenced that he had a legitimate interest in the information. He also highlighted other regulatory issues which might arise from the meeting record.

47. The Commissioner has considered all relevant submissions she has received on this point, along with the withheld personal data.

48. The Commissioner accepts that Mr X might have a specific personal interest in knowing the identity of the interviewer, as detailed in the meeting record. She has noted his specific interest in pursuing the complaint referred to in his submissions. She can also identify a broader public interest in transparency, so that the public can have confidence in NHS Lothian's policies and any actions taken to investigate any possible issues relating to staff conduct. These interests would be addressed, at least in part, by the disclosure of the information withheld in this case. In this regard, therefore, the Commissioner accepts that Mr X has a legitimate interest in obtaining the interviewer's personal data (insofar as still withheld).

Is disclosure necessary to achieve those legitimate interests?

49. The Commissioner must now go on to consider whether disclosure of the remaining withheld personal data (the identity of the interviewer) would be necessary to meet the legitimate interests she has identified above. This will include consideration of whether the legitimate interests might be met by alternative means which interfered less with the privacy of the data subject (the interviewer).

50. Mr X believed the purpose of the interview was to obtain the interviewee's assurance (irrespective of its veracity) that their actions were not contrary to what was said to be NHS Lothian's policy (despite, as he pointed out, no such policy existing: in this regard, he referred to the Commissioner's Decision 192/2016 Mr X and Lothian Health Board[1]). In this respect, Mr X believed the motivation and conduct of the interviewer was relevant to his application, and so their identity should be disclosed.

51. The Commissioner has considered all relevant submissions she has received carefully, together with the remaining withheld information. As indicated above, she is satisfied that the full substance of the meeting in question is conveyed in the summary disclosed during the investigation. Disclosure of the interviewer's remaining personal data would merely identify that individual, nothing more. The Commissioner cannot see how it could cast any light on their motivation or conduct, or on any other concerns identified by Mr X. It would do nothing to further any of the legitimate interests she has accepted above.

52. In the Commissioner's view, therefore, disclosure of the remaining personal data relating to the interviewer is not necessary to meet Mr X's legitimate interests. She is satisfied that these legitimate interests could be (and have been, in the course of the investigation) met by disclosure of the anonymised summary record of the meeting.

53. Having found that disclosure is not necessary, the Commissioner must conclude that condition 6 in Schedule 2 to the DPA cannot be met in this case, in relation to the remaining withheld personal data. In the absence of a condition permitting disclosure, she must also conclude that such disclosure would be unlawful.

54. The Commissioner therefore concludes that disclosure of the remaining withheld personal data (i.e. the interviewer's identity) would breach the first data protection principle, and so finds that NHS Lothian properly withheld this information under the exemption in section 38(1)(b) of FOISA.

Section 21(10) of FOISA - Review by Scottish public authority

55. In his application to the Commissioner, Mr X raised his concern that NHS Lothian had not provided information setting out his rights of appeal to the Court of Session (on a point of law only) if dissatisfied with a decision issued by the Commissioner.

56. Section 21(10) of FOISA requires that a notice under section 21(5) or 21(9) must contain particulars about the rights of application to the Commissioner and of appeal conferred by sections 47(1) and 56.

57. In its submissions to the Commissioner, NHS Lothian conceded that its review responses had never previously contained this advice, and only included information on making an application to the Commissioner if dissatisfied with the review response. NHS Lothian explained it had previously believed the onus was on the Commissioner to provide this advice to applicants, once an application for a decision had been made to the Commissioner.

58. NHS Lothian confirmed that, following discussions with staff from the Commissioner's office in May 2016 on this matter, it had amended its review templates to include information on making a subsequent appeal to the Court of Session.

59. Having examined NHS Lothian's review response to Mr X, it is a matter of fact that this did not provide Mr X with details of his right of appeal to the Court of Session (on a point of law only) if dissatisfied with a decision made by the Commissioner. Therefore, the Commissioner has concluded that NHS Lothian failed to comply with section 21(10) of FOISA in responding to Mr X's requirement for review.

60. The Commissioner notes, and welcomes, the steps taken by NHS Lothian to revise its review templates to include the information required by section 21(10) of FOISA. For this reason, she does not require NHS Lothian to take any further action in relation to this failure.

Decision

The Commissioner finds that Lothian Health Board (NHS Lothian) partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to Mr X's information request.

The Commissioner finds that by correctly withholding some personal data under section 38(1)(b) (Personal information) of FOISA, NHS Lothian complied with Part 1.

However, she also finds that NHS Lothian failed to comply with Part 1 by:

(i) incorrectly withholding other personal data and an anonymised summary record of the meeting under section 38(1)(b) (a failure to comply with section 1(1) of FOISA), and

(ii) failing to include, in its review outcome, the correct notice informing Mr X of his right of appeal to the Court of Session, as required by section 21(10) of FOISA.

The Commissioner therefore requires NHS Lothian to disclose to Mr X the personal data which she has found to have been incorrectly withheld, and not already disclosed to him (i.e. the identity of the interviewee) by 8 September 2017.

For the reasons set out in this Decision Notice, the Commissioner does not require NHS Lothian to take any action in respect of its failure to comply with the requirements of section 21(10) of FOISA, or its failure to disclose an anonymised summary record, in response to Mr X's application.

Appeal

Should either Mr X or Lothian Health Board wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If Lothian Health Board (NHS Lothian) fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that NHS Lothian has failed to comply. The Court has the right to inquire into the matter and may deal with NHS Lothian as if it had committed a contempt of court.

Margaret Keyse
Acting Scottish Information Commissioner

25 July 2017

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.
 

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.
 

21 Review by Scottish public authority

(10) A notice under subsection (5) or (9) must contain particulars about the rights of application to the Commissioner and of appeal conferred by sections 47(1) and 56.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998


1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;


Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

Part II - Interpretation of the principles in Part I

The sixth principleE+W+S+N.I.

8. A person is to be regarded as contravening the sixth principle if, but only if-E+W+S+N.I.

(a) he contravenes section 7 by failing to supply information in accordance with that section,

(b) he contravenes section 10 by failing to comply with a notice given under subsection (1) of that section to the extent that the notice is justified or by failing to give a notice under subsection (3) of that section,

(c) he contravenes section 11 by failing to comply with a notice given under subsection (1) of that section, or

(d) he contravenes section 12 by failing to comply with a notice given under subsection (1) or (2)(b) of that section or by failing to give a notification under subsection (2)(a) of that section or a notice under subsection (3) of that section.

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

1. The data subject has given his consent to the processing.

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

Directive 95/46/EC

Recital 26

Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable; whereas codes of conduct within the meaning of Article 27 may be a useful instrument for providing guidance as to the ways in which data may be rendered anonymous and retained in a form in which identification of the data subject is no longer possible;

 

Article 2

Definitions

For the purposes of this Directive:

(h) 'the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

[1] http://www.itspublicknowledge.info/ApplicationsandDecisions/Decisions/2016/201600701.aspx