Decision 196/2011 Dr David Leung and Fife Health Board
Legal cases and compensation payments
Reference No: 201101137
Decision Date: 29 September 2011
Summary
Dr Leung requested from Fife Health Board (NHS Fife) information regarding legal cases against, and compensation payments made by, NHS Fife.NHS Fife responded by providing Dr Leung with some information while withholding the remainder as exempt in terms of section 38(1)(b) of FOISA. Following a review, Dr Leung remained dissatisfied and applied to the Commissioner for a decision.
Following an investigation, the Commissioner found that NHS Fife had dealt with Dr Leung's request for information in accordance with Part 1 of FOISA, by correctly applying the exemptions in section 38(1)(b) and (d) of FOISA to the information withheld. He did not require NHS Fife to take any action.
Relevant statutory provisions and other sources
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e) (Effect of exemptions) and 38(1)(b) and (d), (2)(a)(i) and (b) and (5) (definitions of "data protection principles", "data subject", "personal data" and "health record") (Personal information)
Access to Health Records Act 1990 section 1(1) ("Health record" and related expressions)
Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions) (definition of "personal data") and2(e) (Sensitive personal data); Schedules 1 (The data protection principles, Part I ? the principles) (the first data protection principle) and 3 (Conditions relevant for purposes of the first principle: processing of sensitive personal data) (conditions 1 and 5)
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ? Recital 26
The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision.The Appendix forms part of this decision.
Background
1.On 21 February 2011, Dr Leung wrote to NHS Fife requesting information which included the following:
i.Details of all legal cases against NHS Fife
ii.Details of compensation payments including ex gratia payments made to patients.
2.On 28 February 2011, in response to a request from NHS Fife, Dr Leung confirmed and clarified that he was seeking information relating to clinical incidents.
3.NHS Fife responded on 23 March 2011.Dr Leung was provided with an annual breakdown of the number of complaints between 2006 and 2010.In relation to compensation payments, he was informed that a total of 27 claims had been settled in a five year period and was given the total amount paid in compensation.He was informed that he had been provided with figures for the five year period as the number of claims settled in some years was low enough to make the information individually identifiable. Consequently, NHS Fife relied upon section 38 of FOISA to withhold any more detailed information.
4.On 4 May 2011, Dr Leung wrote to NHS Fife requesting a review of its decision.He indicated that he required details of the individual legal cases and compensation payments, including details of the nature of the legal cases (including the type of clinical negligence, maladministration, service failure, GMC findings/reports, communication failures, the issue of misleading/inaccurate statements, discrimination, unreasonable delays, bad/wrong medical advice, failure to follow procedures and standard practice) and the individual compensation amounts (split between ex gratia payments and non-ex gratia payments) in each of the cases.
5.NHS Fife notified Dr Leung of the outcome of its review on 20 May 2011, upholding the decision that the information requested was exempt in terms of section 38(1)(b) of FOISA as the disclosure of any breakdown would potentially identify the patients involved.
6.On 25 June 2011, Dr Leung wrote to the Commissioner, stating that he was dissatisfied with the outcome of NHS Fife's review and applying to the Commissioner for a decision in terms of section 47(1) of FOISA.
7.The application was validated by establishing that Dr Leung had made a request for information to a Scottish public authority and had applied to the Commissioner for a decision only after asking the authority to review its response to that request.
Investigation
8.On 27 June 2011, NHS Fife was notified in writing that an application had been received from Dr Leung and was asked to provide the Commissioner with any information withheld from him. NHS Fife responded with the information requested and the case was then allocated to an investigating officer.
9.The investigating officer subsequently contacted NHS Fife, giving it an opportunity to provide comments on the application (as required by section 49(3)(a) of FOISA) and asking it to respond to specific questions.NHS Fife was asked to justify its reliance on any provisions of FOISA it considered applicable to the information requested, with particular reference to the requirements of section 38(1)(b).
10.NHS Fife responded with submissions on the application of section 38(1)(b) to the withheld information.In these, it explained that it considered the withheld information to be sensitive personal data as defined in section 2 of the DPA.In further submissions, NHS Fife argued that certain of the information, in forming deceased persons' health records, was exempt in terms of section 38(1)(d) of FOISA.
11.The relevant submissions obtained from Dr Leung and NHS Fife will be considered fully in the Commissioner's analysis and findings below.
Commissioner's analysis and findings
12.In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the submissions made to him by both Dr Leung and NHS Fife and is satisfied that no matter of relevance has been overlooked.
Section 38(1)(d) ? deceased persons' health records
13.NHS Fife submitted that certain of the withheld information fell within the definition of deceased persons' health records and as such was exempt in terms of section 38(1)(d) of FOISA.This exemption is absolute and therefore is not subject to the public interest test contained in section 2(1)(b) of FOISA.
14.As NHS Fife has submitted, the relevant definition of "health record" for these purposes is that contained in section 1(1) of the Access to Health Records Act 1990.This is set out in the appendix below and the Commissioner is satisfied, having considered the definition in the context of the withheld information, that NHS Fife was entitled to withhold those elements of the information relating to deceased individuals under section 38(1)(d) of FOISA.The remainder of the withheld information will be considered under section 38(1)(b) below.
Section 38(1)(b) ? personal data
15.NHS Fife submitted that the remainder of the information was personal data for the purposes of the DPA and that its disclosure would contravene the first data protection principle on fair and lawful processing.Consequently, it argued that the information was exempt under section 38(1)(b) of FOISA.
16.Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or (2)(b) (as appropriate), exempts information from disclosure where that information is personal data and its disclosure to a member of the public otherwise than under FOISA would contravene any of the data protection principles in Schedule 1 to the DPA.
17.In considering the application of this exemption, the Commissioner must first determine whether the information in question is personal data as defined in section 1(1) of the DPA and then, if it is, whether any of it is sensitive personal data as defined in section 2 of the DPA.If he is satisfied that the information is personal data, he will go on to consider whether its disclosure would breach any of the data protection principles, considering the implications of its status as sensitive personal data as and where appropriate.
18.It must be borne in mind that this particular exemption is an absolute exemption.This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.
Is the information under consideration personal data?
19.The Commissioner has considered whether the information withheld is personal data for the purposes of section 1(1) of the DPA; that is, data which relate to a living individual who can be identified a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (the full definition is set out in full in the Appendix).It should be noted that the DPA gives effect to Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Directive), which therefore has a bearing on how the definition should be interpreted.
20.NHS Fife contended that, in seeking details of personal medical information in relation to each of the 27 cases, Dr Leung was seeking personal data.It considered the information to relate to living individuals who could be identified from the data.It continued that there was a significant risk of indirect identification of living individuals because of the low number of claims made and settled relating to clinical negligence, particularly if actual data was provided on the nature of each individual claim (which was very specific and in all cases related to a medical condition).Likewise, if the cases were broken down by speciality for each year, some of the specialities appeared only once in each year.
21.NHS Fife also noted that, in relation to the settlement figures for each year, several of the numbers were fairly low, and contended that to provide each sum along with the other information could lead to indirect identification of the relevant living individuals, particularly in a small geographic area such as Fife.NHS Fife also made case-specific reference to information already in the public domain in relation to these cases.
22.The Commissioner has considered NHS Fife's submissions in the light of the decision of the House of Lords in the case of Common Services Agency v Scottish Information Commissioner [2008] UKHL 47[1], in which the Lords considered a request for information relating to childhood leukaemia statistics in the Dumfries and Galloway postal area.In that case, the Lords concluded that the definition of "personal data" in the DPA must be read in the light of recital 26 of the Directive (the recital is set out in full in the Appendix) and therefore be taken to permit the disclosure of information which had been rendered fully anonymous in such a way that individuals were no longer identifiable from it, without having to apply the data protection principles.Therefore, if living individuals cannot be identified from the actual information requested, then the information is not personal data and it cannot be exempt under section 38(1)(b) of FOISA.
23.The Commissioner has also noted the opinion delivered by the High Court of England and Wales in Department of Health v Information Commissioner [2011] EWHC 1430 (Admin)[2].
24.The Commissioner has considered whether the withheld information could be considered to be fully anonymous, or whether it might be possible to identify living individuals from that information.
25.Recital 26 of the Directive states that to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the [data] controller or by any other person to identify the said person.Similarly, the guidance entitled "Determining what is personal data" (issued by the UK Information Commissioner, who is responsible for enforcing the DPA throughout the UK)[3] states that consideration of whether a person can be identified should look not just the means reasonably likely to be used by the ordinary man in the street to identify a person, but also the means which are likely to be used by a determined person with a particular reason to want to identify the individual.
26.The Commissioner has therefore considered not only Dr Leung's reasons for seeking the information but also how other people might use the information following its release, along with other information already in the public domain, to identify living individuals.
27.The Commissioner has considered whether the population and geographical size of the authority's area would make identification a real possibility: generally speaking, the smaller the population and geographical size, the higher the likelihood that identification will occur.Given a population of over 350,000 spread over approximately 1,325 km?, these factors alone do not appear to make identification a real possibility in this case.However, when the population and geographical size of the area are considered alongside the content of the withheld information, the information already in the public domain and the submissions of NHS Fife as outlined above, the Commissioner agrees that the information requested by Dr Leung cannot be fully anonymised to take it outwith the definition of personal data.
28.Consequently, in all the circumstances, the Commissioner accepts that disclosure of the information to which NHS Fife has applied section 38(1)(b) of FOISA could lead to the identification of living individuals.He also accepts that the information relates to those individuals and therefore that it is personal data as defined by section 1(1) of the DPA.
Sensitive personal data
29.NHS Fife submitted that the information sought was also sensitive personal data, in terms of section 2 of the DPA, because the information related to allegations of clinical negligence and payments made as a result of the alleged clinical negligence, and therefore clearly involved consideration of the physical and mental health of the data subjects.
30.Section 2 of the DPA defines sensitive personal data.This includes at section 2(e), personal data consisting of information as to the data subject's physical or mental health or condition. The Commissioner is satisfied that the information under consideration here all relates to the data subjects' medical conditions and is therefore sensitive personal data.
31.The Commissioner will now consider whether disclosure of the information would breach the first data protection principle as submitted by NHS Fife.
Consideration of the first data protection principle
32.The first data protection principle states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DPA is also met.The processing in this case would be disclosure in response to Dr Leung's information request.
33.The Commissioner will first of all consider whether any of the Conditions in Schedule 3 can be met, which would allow the processing of the personal sensitive data.If none of these conditions can be met, there will be no requirement to go on to consider the application of the conditions in Schedule 2.
Can any of the conditions in Schedule 3 to the DPA be met?
34.There are 10 conditions listed in Schedule 3 to the DPA.One of these, condition 10, allows sensitive personal data to be processed in circumstances specified in an order made by the Secretary of State and the Commissioner has also considered the additional conditions for processing sensitive personal data as contained in secondary legislation such as the Data Protection (Processing of Sensitive Personal Data) Order 2000.
35.The Commissioner's guidance[4] on the section 38 exemption concludes that in practical terms there are only two conditions in Schedule 3 which would allow sensitive personal data to be processed in the context of a request for information under FOISA, namely:
Condition 1 ? the data subject has given explicit consent to the release of the information; or,
Condition 5 ? the information contained in the personal data has been made public as a result of steps taken deliberately by the data subject.
36.In relation to the withheld information, the Commissioner accepts that the data subjects have not given explicit consent to the release of the information and he would not expect NHS Fife to attempt to obtain such consent.Consequently, he is satisfied that condition 1 in Schedule 3 cannot be met.
37.Similarly, from the information available to him, the Commissioner is unable to conclude that condition 5 in Schedule 3 can be met in this case.
38.Having also considered the other conditions in Schedule 3, the Commissioner has come to the conclusion that none of these would permit disclosure of the sensitive personal data under consideration here. In the absence of a condition permitting disclosure, that disclosure would also be unlawful.Consequently, the Commissioner finds that disclosure would breach the first data protection principle and that the information is therefore exempt from disclosure (and properly withheld) under section 38(1)(b) of FOISA.
DECISION
The Commissioner finds that Fife Health Board (NHS Fife) complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Dr Leung.
Appeal
Should either Dr Leung or Fife Health Board wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only.Any such appeal must be made within 42 days after the date of intimation of this decision notice.
Margaret Keyse
Head of Enforcement
29 September 2011
Appendix
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
?
(6) This section is subject to sections 2, 9, 12 and 14.
2 Effect of exemptions
(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that ?
(a) the provision does not confer absolute exemption; and
...
(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption ?
?
(e) in subsection (1) of section 38 ?
(i)paragraphs (a), (c) and (d); and
(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.
38Personal information
(1) Information is exempt information if it constitutes-
?
(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;
?
(d) a deceased person's health record.
(2) The first condition is-
(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-
(i) any of the data protection principles; or
?
(b)in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.
?
(5) In this section-
"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;
"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;
"health record" has the meaning assigned to that term by section 1(1) of the Access to Health Records Act 1990 (c.23); and
?
Access to Health Records Act 1990
1"Health record" and related expressionsE+W
(1)In this Act "health record" means a record which?
(a)consists of information relating to the physical or mental health of an individual who can be identified from that information, or from that and other information in the possession of the holder of the record; and
(b)has been made by or on behalf of a health professional in connection with the care of that individual;
?
Data Protection Act 1998
1 Basic interpretative provisions
(1)In this Act, unless the context otherwise requires ?
?
"personal data" means data which relate to a living individual who can be identified ?
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;
?
2 Sensitive personal data
In this Act "sensitive personal data" means personal data consisting of information as to-
?
(e)his physical or mental health or condition,
?
Schedule 1 ? The data protection principles
Part I ? The principles
1.Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless ?
(a)at least one of the conditions in Schedule 2 is met, and
(b)in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
?
Schedule 3 ? Conditions relevant for purposes of the first principle: processing of sensitive personal data
1.The data subject has given his explicit consent to the processing of the personal data.
...
5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.
?
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
Recital 26
Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable; whereas codes of conduct within the meaning of Article 27 may be a useful instrument for providing guidance as to the ways in which data may be rendered anonymous and retained in a form in which identification of the data subject is no longer possible;
[1] http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080709/comm-1.htm
[2] http://www.bailii.org/ew/cases/EWHC/Admin/2011/1430.html
[3]http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/personal_data_flowchart_v1_with_preface001.pdf
[4] http://www.itspublicknowledge.info/nmsruntime/saveasdialog.aspx?lID=3085&sID=133
