Decision 253/2024: Medical reports on fractures in babies/infants
Authority: NHS Tayside
Case Ref: 202400272
Summary
The Applicant asked the Authority for medical reports written by a named doctor over the last five years. The Authority provided some information but withheld other information because it was third party personal data. The Commissioner investigated and found that the Authority was entitled to withhold the information.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2), (3) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2A), (5) (definitions of “the data protection principles”, “data subject”, “personal data” and “processing”, “the UK GDPR”) and (5A) (Personal information); 38(1)(b); 47(1) and (2) (Application for decision by Commissioner)
United Kingdom General Data Protection Regulation (the UK GDPR) Articles 4(1) (definition of “personal data”) (Definitions) articles 5(1)(a) 9(1) and (2)(a) and (e) (Processing of special categories of personal data)
Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5) and (10) Terms relating to the processing of personal data)
Background
1. On 13 December 2023, the Applicant made a request for information to the Authority.
She asked for all medical reports written by a named doctor over the last five years which related to fractures in babies/infants. The Applicant stated that she expected the reports to be redacted and she clarified that she was looking for the template used for completing these forensic reports and the academic information and literature contained within.
2. The Authority responded on 4 January 2024. It provided the Applicant with blank template copies of two different medical examination reports, and it stated that it could not disclose medical reports as they formed part of a patient’s medical record, and disclosure would breach data protection legislation. It withheld this information under section 38(1)(b) of FOISA.
3. On 4 January 2024, the Applicant contacted the Authority with a new request asking:
(i) whether the template reports provided were the most recent versions;
(ii) whether it was possible to be provided with the academic literature detailed in the reports; and
(iii) how many forensic reports the named doctor had written over the last five years.
4. On 23 January 2024, the Authority provided the Applicant with some further information in relation to parts (i) and (iii) of her request, but it continued to withhold information falling within the scope of part (ii) of her request on the grounds that disclosure would breach data protection legislation.
5. On 23 January 2024, the Applicant wrote to the Authority, requesting a review of its response to part (ii) of her information request. The Applicant stated that she did not understand how providing her with the academic literature referred to in the doctor’s previous reports would identify any individual, and she asked the Authority to carry out a review.
6. The Authority notified the Applicant of the outcome of its review on 19 February 2024. It upheld its application of section 38(1)(b) of FOISA.
7. On 19 February 2024, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant did not accept that the exemption applied, and she challenged the Authority’s decision to withhold the academic literature referenced by the doctor, arguing that its disclosure would not identify any individual.
Investigation
8. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
9. On 10 April 2024, and in line with section 49(3)(a) of FOISA, the Commissioner gave the Authority notice in writing of the application and invited its comments, and the case was subsequently allocated to an investigating officer.
Commissioner’s analysis and findings
10. The Commissioner has carefully considered all of the submissions made to him by the Applicant and the Authority.
11. In this case, the Commissioner is unable to set out the Authority’s reasoning (or his own) in full as doing so could itself lead to the disclosure of the contents of the information which has been withheld by the Authority. This consideration has been acknowledged by the courts. In the case of Scottish Ministers v Scottish Information Commissioner (William Alexander’s Application) [2006] CSIH 8 , the Court of Session commented that, in giving reasons for a decision, the Commissioner is necessarily restrained by the need to avoid disclosing information which ought not to be disclosed.
Interpretation of the scope of the request
12. The Applicant only sought a review of request (ii). However, during the investigation the Authority provided the Commissioner with an updated figure for the information it held in relation to request (iii), explaining that while it had notified the Applicant that the named doctor had issued 74 reports over the last five years, there were, in fact, considerably fewer reports that related to fractures in babies/infants.
13. It is clear, from the wording of the Applicant’s original email of 13 December 2023, and the context of the request dated 4 January 2024, that the Applicant was only interested in reports which concerned fractures in babies/infants. It is equally clear that the Authority disregarded this and instead, focused on the total number of reports the doctor had authored in the time period, regardless of subject matter. In the Commissioner’s view, the Authority took an overly broad interpretation of request (iii) and in doing so, it provided her with inaccurate and misleading information in response to request (ii).
14. If the Authority had any concerns about the scope of the request, and whether the Applicant was seeking all of the reports authored by the doctor, or only those relating to fractures in babies/infants, it should have sought clarification as provided by section 1(3) of FOISA. It did not do so.
15. The Commissioner notes that the Authority reviewed its interpretation of the scope of the request during the investigation and reduced the number of reports captured by the request. Given the relevancy of request (iii) to the information captured by request (ii), it is the Commissioner’s view that the Authority should have notified the Applicant of this reduction in the number of reports captured by her request, with due regard to its obligations under data protection legislation, even though the Applicant did not specifically ask the Authority to review its response to request (iii) in her requirement for review. The Commissioner will consider the application in what follows in the context of that reduced number.
Information disclosed by the Authority
16. During the investigation, the Authority provided the Applicant with a list of the academic literature referenced in the reports captured by her request.
17. The Applicant was dissatisfied with this disclosure because it did not provide what she had asked for: namely, the actual redacted reports.
18. The Commissioner will now go on to consider whether the redacted reports are personal data, as argued by the Authority.
Section 38(1)(b) – Personal Information
19. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) (or (b), exempts information from disclosure if it is “personal data“ (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR.
20. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.
21. To rely on the exemption in section 38(1)(b), the Authority must show that the information is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles in Article 5(1) of the
UK GDPR.
22. Article 9 of the UK GDPR describes personal data that falls within the special categories of personal data, including where it reveals information about an individual’s health.
Is the information personal data?
23. The first question the Commissioner must address is whether the information is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable individual. “Identified living individual” is defined in section 3(3) of the DPA 2018. (This definition reflects the definition of personal data in Article 4(1) of the UK GDPR.)
24. Information will "relate to" a person if it is about them, is linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.
25. The Commissioner must also consider whether any of the withheld information is special category data as defined in Article 9 of the UK GDPR. This includes data which concerns the health of an individual.
26. The Applicant argued that the information she requested did not identify any living individuals because it was purely references to academic literature.
27. The Authority argued that it considered the information to be personal data for the purposes of section 3 of the DPA 2018. Its submissions cannot be reproduced in full, in order not to disclose the withheld information, but essentially it argued that disclosure of the information would involve the disclosure of health information (which is special category data in terms of Article 9 of the UK GDPR).
28. The Commissioner has carefully considered the nature of the withheld information, and the submissions made by both the Applicant and the Authority. In this case, while he is unable to set out his reasoning in full, in order to not disclose the withheld information, the Commissioner is satisfied that in the circumstances of this particular case, the information is the personal data of identifiable individuals as defined in section 3(2) of the DPA 2018.
29. He considers it likely that, due to the small numbers of reports involved and all other relevant circumstances, disclosure of the information would lead to the identification of the children who are the subject of the reports.
30. Article 9 of the UK GDPR sets out special categories of data, which is personal data which is considered to need further protection because of its particular sensitivity. This includes health information.
31. The Commissioner is satisfied that the withheld information, if disclosed, would reveal health information about children as it would confirm that they had suffered specific medical injuries (fractures) and that the data, therefore, meets the definition of special category data.
32. As outlined above, the Authority originally argued that it held 74 reports that fell within the scope of request (iii), before establishing that the relevant number was in fact considerably smaller.
33. While the Commissioner is satisfied that disclosure of the academic references contained in each relevant redacted report would disclose personal data, he does not accept that disclosure of the academic references in all 74 reports (had these all been relevant to the request) would have engaged the exemption in section 38(1)(b), as the larger number of reports would have made the identification of the patients virtually impossible.
Special Category Data - Lawfulness
34. The Commissioner has accepted that the information would be special category data for the purposes of Article 9(1) of the UK GDPR. Special category personal data is afforded more protection by the UK GDPR. To be lawful, their processing must meet one of the conditions in Article 9(2) of the UK GDPR.
35. The Commissioner’s guidance on section 38 of FOISA notes that Article 9 of the UK GDPR only allows special category personal data to be processed in very limited circumstances. The Commissioner considers that the only situations where it is likely to be lawful to disclose special category personal data in response to an information request under FOISA is where the condition in Article 9(2)(e) applies.
Article 9(2)(e): Manifestly made public
36. Article 9(2)(e) allows special category personal data to be processed where the personal data have manifestly been made public by the data subjects.
37. “Processing" of personal data is defined in section 3(4) of the DPA 2018. It includes (section 3(4)(d)) disclosure by transmission, dissemination or otherwise making available personal data. The definition therefore covers disclosing information into the public domain in response to a FOISA request.
38. Neither the Authority nor the Applicant has suggested that the personal data have manifestly been made public by the data subjects.
39. The Commissioner is satisfied that the information would not have been made public as a result of steps deliberately taken by the data subjects, and so condition 2(e) could not be met in this case. It is not information of a kind it would be reasonable to expect would be made public in such a manner.
40. In the circumstances, the Commissioner must conclude that, in the absence of a condition in the UK GDPR allowing the special category personal data to be processed, that disclosure would be unlawful.
Special Category Data - Fairness
41. Given that the Commissioner has concluded that the processing of the special category personal data would be unlawful, he is not required to go on to consider whether any such disclosure would otherwise be fair or transparent in relation to the data subjects.
Decision
The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.
Appeal
Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Euan McCulloch
Head of Enforcement
11 November 2024
