Decision Notice 302/2024: Significant Adverse Event Review reports
Authority: Lothian Health Board
Case Ref: 202401199
Summary
The Applicant asked the Authority for copies of various Significant Adverse Event Review (SAER) reports produced since the start of 2018 regarding incidents relating to the mental health of children and adolescents. The Authority withheld the information because it was third party personal data. The Commissioner investigated and found that the Authority was entitled to withhold the information, but that it failed to inform the Applicant that it did not hold some of the information requested. He required the Authority to issue a revised review outcome to notify the Applicant of the information it did not hold.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2), (4) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 17(1) (Notice that information is not held); 38(1)(b), (2A), (5) (definitions of “the data protection principles”, “data subject”, “personal data” and “processing”, “the UK GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner)
United Kingdom General Data Protection Regulation (the UK GDPR) Articles 4(1) (definition of “personal data”) (Definitions); 5(1)(a) (Principles relating to processing of personal data); 9(1) and (2)(a) and (e) (Processing of special categories of personal data)
Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5) and (10) Terms relating to the processing of personal data)
Background
1. On 10 June 2024, the Applicant made a request for information to the Authority. She asked for copies of all (SAER) review reports produced since the start of 2018 that involved:
a) a patient, under the age of 18 in the Authority’s area, placed in an inpatient mental health service for children and adolescents
b) a patient, under the age of 18 in the Authority’s area, placed in an inpatient mental health service for adults
c) an inpatient mental health service for children and adolescents in the Authority’s area
d) the placement of a child or adolescent in an adult inpatient mental health service in the Authority’s area.
2. The Applicant noted that she understood details of individual patients would be redacted.
3. The Authority responded on 4 July 2024. It withheld the information requested under the exemption in section 38(1)(b) of FOISA. It noted that from 1 January 2018 there had been a total of five or fewer adverse events, some of which were still being reviewed. Given the small number of reports concerned and the nature of these reports, it stated it was unable to disclose any of the reports even in a redacted format. It withheld the reports still being reviewed, under the exemption(s) in section 30 of FOISA.
4. On the same day, the Applicant wrote to the Authority requesting a review of its decision. She stated that she was dissatisfied with the decision because, given the timeframe of her request and the clear public interest in disclosure, she did not accept that the reports could not be released at all.
5. The Authority notified the Applicant of the outcome of its review on 7 July 2024, which fully upheld its original decision without modification.
6. On 9 September 2024, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. She stated that she was dissatisfied with the outcome of the Authority’s review because she did not accept that the reports, once properly redacted of personal details, could not be disclosed and that the public interest favoured disclosure.
Investigation
7. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
8. On 24 September 2024, the Authority was notified in writing that the Applicant had made a valid application. The Authority was asked to send the Commissioner the information withheld from the Applicant. The case was allocated to an investigating officer and the Authority provided the information.
9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Authority was invited to comment on this application and to answer specific questions.
Commissioner’s analysis and findings
10. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.
11. During the investigation, the Applicant confirmed that she was only seeking completed SAER reports. As the Authority stated that it only wished to rely upon the exemption(s) in section 30 of FOISA for SAER reports that yet to be completed, the Commissioner will not consider the application of the exemption(s) under section 30 of FOISA further in his decision.
Information in scope
12. Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority which holds it is entitled to be given that information by the public authority, subject to qualifications which, by virtue of section 1(6) of FOISA, allow Scottish public authorities to withhold information or charge a fee for it. The qualifications contained in section 1(6) are not applicable in this case.
13. The information to be given is that held by the Authority at the time the request is received, as defined by section 1(4). This is not necessarily to be equated with information that an applicant believes the public authority should hold. If no such information is held by the public authority, section 17(1) of FOISA requires the authority to give the applicant notice in writing to that effect.
14. During the investigation, the Authority notified the Commissioner that it held no information falling in scope of some parts of the Applicant’s request. It argued that only some information was not held, which was not the same as information not being held for the whole request.
15. In this case, the Applicant split her request into four parts. While the parts of her request are related, they are not identical and do not capture the same information. In order to meet its obligations under FOISA, the Authority was required to respond to each part of the request and to fully consider the constituent elements of each part of the request. If the Authority did not hold some of the information requested, it was required, in terms of section 17(1) of FOISA, to notify the Applicant of this in writing.
16. The Authority failed to give the Applicant notice in writing, in terms of section 17(1) of FOISA, that it did not hold some of the information she had requested.
17. The Commissioner must, therefore, find that, by failing to give the Applicant notice in writing that certain information was not held, the Authority failed to comply with section 17(1) of FOISA. He requires the Authority to issue a revised review outcome to the Applicant giving notice, in terms of section 17(1) of FOISA, for the parts of her request for which it does not hold any relevant information.
Section 38(1)(b) – Personal information
18. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) (or (b), exempts information from disclosure if it is “personal data“ (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR.
19. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.
20. To rely on the exemption in section 38(1)(b) of FOISA, the Authority must show that the information is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles in Article 5(1) of the UK GDPR.
21. Article 9 of the UK GDPR describes personal data that falls within the special categories of personal data, including where it reveals information about an individual’s health.
Is the information personal data?
22. The first question the Commissioner must address is whether the information is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable individual. “Identifiable living individual” is defined in section 3(3) of the DPA 2018. (This definition reflects the definition of personal data in Article 4(1) of the UK GDPR.)
23. Information will "relate to" a person if it is about them, is linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.
24. The Commissioner must also consider whether any of the withheld information is special category data as defined in Article 9 of the UK GDPR. This includes data which concerns the health of an individual.
25. The Court of Justice of the European Union looked at the question of identification in Breyer v Bundesrepublik Deutschland . The Court said that the correct test to consider is whether there is a realistic prospect of someone being identified. In deciding whether there is a realistic prospect of identification, account can be taken of information in the hands of a third party. However, there must be a realistic causal chain – if the risk of identification is "insignificant", the information will not be personal data.
26. Although this decision was made before the UK GDPR and the DPA 2018 came into force, the Commissioner expects that the same rules will apply. As set out in Recital (26) of the GDPR (the source of the UK GDPR), the determination of whether a natural person is identifiable should take account of all means reasonably likely to be used to identify the person, directly or indirectly.
27. In considering what is reasonably likely, the Recital states that all objective factors should be taken into account, such as the costs and amount of time required for identification, the available technology at the time of processing and technological developments. It confirms that data should be considered anonymous (and therefore no longer subject to the GDPR) when data subjects are no longer identifiable.
28. The Applicant agreed that patient names should be redacted from the reports but considered that, with proper redaction, it would be possible to preserve patient confidentiality while allowing some information to be disclosed about the adverse events affecting children with mental health issues to be disclosed. She noted that another health board had decided they could disclose similar information, which suggested that a similar approach could be taken by the Authority in this case.
29. The Authority submitted that there were five or fewer adverse events (some of which were still under review) falling within the scope of the request. Due to the small number of reports and the nature of these reports, it did not consider it possible to release any of the reports even in a redacted format. It also noted that redacting the reports would leave such limited information as to render them meaningless.
30. The Authority submitted that the information requested related to young vulnerable children dealing with trauma who, if the information requested were disclosed, may be identifiable to themselves or to family members. It argued that this would increase their trauma response.
31. The Authority stressed that, unlike similar information it disclosed on previous occasions, the information requested in this case was not a random sample. Instead, the information requested comprised a set of highly identifiable reports in relation to potentially very vulnerable children from a specific area of the Authority’s work.
32. The Commissioner has carefully considered the withheld information and the submissions made by both the Applicant and the Authority. Having done so, he considers it likely, due to the small number of reports involved, information already known to patients, their relatives and other individuals and all other relevant circumstances, that disclosure of the information requested would lead to the identification of individuals.
33. While it will often be the case that requesting information over a longer timeframe will reduce the risk of identification, the Commissioner does not accept, given the nature of the information requested and the small number of reports falling within scope of the request, that the timeframe specified in the request renders the risk of identification of individuals insignificant. In the circumstances, he is satisfied that the risk of identification of individuals is realistic.
34. The Commissioner has considered the Applicant’s suggestion that some information could be disclosed after the redaction of personal details. However, having reviewed the withheld information, the effect of taking out anything which would realistically identify individuals would, in the Commissioner's view, lead to the remainder of the information being unintelligible or of no practical use to the Applicant. He is therefore satisfied that the withheld information cannot meaningfully be anonymised.
35. In coming to this view, the Commissioner took account of the 2016 judgment of the First Tier Tribunal (Information Rights) in Paul Boam and the Information Commissioner and Ofsted . In that case, the Tribunal accepted that there are limits to reasonable redaction, for example in cases where:
“the excisions required for anonymisation must be so drastic that what remains in incoherent or even meaningless" meaning that it is reasonable to redact entire documents.”
In the Commissioner’s view, that would be the result of anonymisation in this case.
Special category data
36. Article 9 of the UK GDPR sets out special categories of data, which is personal data which is considered to need further protection because of its particular sensitivity. This includes health information.
37. Having reviewed the withheld information, the Commissioner is satisfied that it would, if disclosed, reveal health information about children and adolescents. He considers that the data, therefore, meet the definition of special category data.
Special category data – Lawfulness
38. The Commissioner has accepted that the information would be special category data for the purposes of Article 9(1) of the UK GDPR. Special category personal data is afforded more protection by the UK GDPR. To be lawful, their processing must meet one of the conditions in Article 9(2) of the UK GDPR.
39. The Commissioner’s guidance on section 38 of FOISA notes that Article 9 of the UK GDPR only allows special category personal data to be processed in very limited circumstances. He considers that the only situations where it is likely to be lawful to disclose special category personal data in response to an information request under FOISA is where the condition in Article 9(2)(e) of the UK GDPR applies.
Article 9(2)(e): Manifestly made public
40. Article 9(2)(e) of the UK GDPR allows special category personal data to be processed where the personal data have manifestly been made public by the data subjects.
41. “Processing" of personal data is defined in section 3(4) of the DPA 2018. It includes (section 3(4)(d)) disclosure by transmission, dissemination or otherwise making available personal data. The definition therefore covers disclosing information into the public domain in response to a FOISA request.
42. Neither the Authority nor the Applicant has suggested that the personal data have manifestly been made public by the data subjects.
43. The Commissioner is satisfied that the information would not have been made public as a result of steps deliberately taken by the data subjects, and so condition 2(e) could not be met in this case. It is not information of a kind it would be reasonable to expect would be made public in such a manner.
44. In the circumstances, the Commissioner must conclude that, in the absence of a condition in the UK GDPR allowing the special category personal data to be processed, that disclosure would be unlawful. Consequently, he is satisfied that the personal data was correctly withheld under section 38(1)(b) of FOISA.
Special category data – Fairness
45. Given that the Commissioner has concluded that the processing of the special category personal data would be unlawful, he is not required to go on to consider whether any such disclosure would otherwise be fair or transparent in relation to the data subjects
Decision
The Commissioner finds that the Authority partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.
The Commissioner finds that the Authority complied with Part 1 of FOISA by correctly withholding information under the exemption in section 38(1)(b).
However, the Commissioner finds that the Authority failed to comply with Part 1 of FOISA by failing to give notice in writing to the Applicant, in terms of section 17(1) of FOISA, that it did not hold some of the information she had requested.
The Commissioner therefore requires the Authority to issue a revised review outcome to the Applicant giving notice, in terms of section 17(1) of FOISA, for the parts of her request for which it does not hold any relevant information, by 5 February 2025.
Appeal
Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Enforcement
If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Authority has failed to comply. The Court has the right to inquire into the matter and may deal with the Authority as if it had committed a contempt of court.
Euan McCulloch
Head of Enforcement
20 December 2024
