Home Decisions

Decision 183/2025

Decision 183/2025:  Communications relating to specified individuals


Authority: Ayrshire and Arran Health Board
Case Ref: 202500492
 

Summary

The Applicant asked the Authority for communications relating to three specified individuals in relation to a Significant Adverse Event Review (SAER). The Authority responded to the request under data protection legislation.  The Commissioner investigated and found that the Authority had failed to comply with Part 1 of FOISA in responding to the request.  He required the Authority to issue the Applicant with a review outcome under FOISA.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) (General entitlement); 8(1) (Requesting information); 16(1) and (6) (Refusal of request); 19 (Content of certain notices); 38(1)(a) and (d) (Personal information); 47(1) and (2) (Application for decision by Commissioner). 

UK General Data Protection Regulation (the UK GDPR) Articles 4(1) and 15(1). 

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (5), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data).

Background

  1. On 25 October 2024, the Applicant made a request for information to the Authority relating to three specified individuals (himself, his brother and their deceased father) in relation to a specified SAER.   Specifically, he asked for:

    “…all internal communications, including e-mails, FOISA related matters … and reports/documents shared between [the Authority] such as:

     (1) [Specified individual], Complaints Manager and [specified individual], FOI Officer and replies from same from 11/12/2023 and 26/10/2024.

     (2) [Specified individual], Complaints Manager and [specified individual], Deputy Data Protection officer and replies from same from 11/12/2023 until 26/10/2024.

     (3) [Specified individual], Complaints Manager and [specified individual], Clinical Lead Infection Control and [specified individual], Infection Control Manager and [specified individual], Business Manager for [specified individual] and replies from same from 11/12/2023 until 26/10/2024.

    that mention [the Applicant] … [the Applicant’s brother] … and [the Applicant’s father], Deceased … To both [the Applicant] and [the Applicant’s brother]'s complaint into our father’s care and the subsequent significant adverse event review (SAER) into said complaint”.

  2. The Authority responded on 21 November 2024.  It confirmed that it had treated the Applicant’s request as subject access request (SAR) under the UK GDPR and took the following steps:

  • in respect of the Applicant’s own data, it disclosed 33 pages of redacted text and confirmed that it held no personal data falling within part (ii) of their request

  • in respect of the Applicant’s father, it refused to provide information on the basis that he was deceased and therefore not subject to data protection law for the purposes of a SAR

  • in respect of the Applicant’s brother, it refused to provide information to the Applicant on the basis that it had not been authorised to do so (though it confirmed there was no information relating to that individual to be provided).

  1. On 16 December 2024, the Applicant wrote to the Authority requesting a review of its decision. He stated that he was dissatisfied with the decision for the following reasons:

  • the redactions applied by the Authority

  • the Authority had responded to his request as a SAR under data protection legislation when his request had been made under FOISA

  • when treating his request as a SAR, the Authority had failed to issue a refusal notice as required by section 16 of FOISA.

  1. The Authority notified the Applicant of the outcome of its review on 9 January 2025 in the following terms:

  • it confirmed that it had redacted information that did not comprise the personal data of the Applicant or his brother

  • it referred to the Commissioner’s website[1] which said that “it was for authorities to decide which law applied to an information request”

  • it stated that it had processed their request under the DPA 2018 as the “applicable legislation” and that, as the Applicant’s request was not a FOISA request it was not obliged to issue a refusal notice under section 16 of FOISA

  • it confirmed that as the Applicant’s father was deceased his information was not subject to the DPA

  • it advised the Applicant of his right of appeal to the UK Information Commissioner’s Office (UK ICO).

  1. On 31 March 2025, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  He stated that he was dissatisfied with the outcome of the Authority’s review because the Authority had responded to his FOISA request under data protection legislation and because the information disclosed to him had been “heavily redacted to the point of being meaningless”.

Investigation

  1. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
  2. On 7 April 2025, and in line with section 49(3)(a) of FOISA, the Commissioner gave the Authority notice in writing of the application.
  3. The case was subsequently allocated to an investigating officer.  The Authority was invited to comment on this application and to answer specific questions.  The Applicant was also invited to provide further comments.
  4. The Commissioner's remit extends only to the consideration of whether a Scottish public authority has complied with Part 1 of FOISA in responding to a request.  He cannot comment on whether a Scottish public authority should provide information to an applicant under any other rights or legislation (e.g. data protection legislation) or whether an authority has complied with these other rights or legislation.

Commissioner’s analysis and findings

  1. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority. 

FOISA or UK GDPR?

  1. Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority which holds it is entitled to be given that information by the authority, subject to qualifications which, by virtue of section 1(6) of FOISA, allow Scottish public authorities to withhold information or charge a fee for it.
  2. The Commissioner must determine whether the Authority responded to the Applicant’s request for information in accordance with Part 1 of FOISA.

The Applicant’s submissions

  1. The Applicant stated that he had submitted his “original FOISA request” to understand the scope (and progress) of a SAER relating to his father.  He explained that he had submitted his request on the basis that he had previously received incomplete and inaccurate information regarding the SAER.
  2. The Applicant noted that the Authority had responded to his request as a subject access request and argued that it had been incorrect to do so.  He considered the redactions applied by the Authority “frustrating” and argued that it should have disclosed the information requested in full.

The Authority’s submissions

  1. The Authority recognised that any request received could be a request under FOISA. However, it submitted that, in this case, the Applicant’s request was a subject access request and therefore fell to be responded to solely under data protection legislation.
  2. By way of context, the Authority stated that it was aware that the Applicant and his brother were involved in a complaint process and a SAER.  It explained that the Applicant and his brother had made six prior requests for information between them on related matters – all of which had been submitted under FOISA and addressed to its FOI Office.
  3. The Authority stated that it had previously advised the Applicant and his brother that information relating to their deceased father could not be released under FOISA as it was exempt in terms of section 38(1)(d) of FOISA.
  4. In contrast to the previous FOISA requests from the Applicant and his brother, the Authority noted that his present request was addressed to the Authority’s Head of Information Governance and it did not refer to FOISA.
  5. The Authority argued that the previous FOISA requests submitted by the Applicant and his brother demonstrated that they possessed sufficient knowledge to make a request under FOISA, and they had not done so in this case.
  6. On that basis, and given that the Applicant’s present request sought information relating to himself, his brother and their father, the Authority explained that it had treated the Applicant’s present request as a subject access request under the UK GDPR.
  7. Having determined that the Applicant’s request was a subject access request for the Applicant’s own personal data and a subject access request made by him on behalf of his brother, the Authority said that it followed guidance from the UK ICO on responding to third party subject access requests by seeking proof of consent and identification (which was provided).
  8. The Authority submitted that it had issued the Applicant and his brother with an acknowledgement letter advising that his present request was being treated as a subject access request.  It noted that neither party had challenged this in subsequent correspondence until the Applicant queried it in his requirement for review.
  9. The Authority further stated that it had informed the Applicant at various times that no information relating to his deceased father would be disclosed under data protection legislation as the right of access to personal data is limited to living individuals.
  10. The Authority also submitted that the information it held in relation to the Applicant’s father that fell within the terms of the Applicant’s request would also not be disclosable under FOISA.  However, on reflection, it acknowledged that it should “perhaps” have reiterated this to the Applicant and his brother as part of its response under data protection law.

The Commissioner’s view 

  1. The Commissioner has issued guidance on section 38 of FOISA[2], and, in particular, the actions that should be taken by a Scottish public authority when it receives a request under FOISA where someone asks for their own personal data. His guidance is clear that, even if an authority considers a request is for the applicant's own personal data, it should issue a refusal notice in terms of section 16 of FOISA: failure to do so is a failure to comply with Part 1 of FOISA. 

  2. Where the information requested is a mix of the requester’s personal data and the personal data of third parties, the Commissioner’s guidance states:

    “If the personal data is difficult to separate, the appropriate way forward is to consider the information under the exemption in section 38(1)(a) … Treating the request as a request under the UK GDPR … will allow the public authority to consider whether disclosing any of the third party’s personal data would adversely affect their rights and freedoms in line with Article 15(4) of the UK GDPR …”

  3. Furthermore, the Commissioner’s guidance on the exemption in section 38(1)(d) of FOISA states that a record “relating to the physical or mental health of an individual … made by or on behalf of a health professional in connection with the care of that individual” is exempt from disclosure under FOISA.
  4. The Commissioner accepts that this case is not straightforward.  However, taking into account the terms of the request, he considers it clear that the information requested comprised a mixture of information – not simply the Applicant’s own personal data (or that of his brother, on whose behalf he had made a subject access request).  In any case, it met the requirements for a valid request in section 8(1) of FOISA and made no mention of the Applicant seeking to exercise his rights under the UK GDPR.
  5. In this case, therefore, the Commissioner considers that the Applicant made a valid request under section 1(1) of FOISA for information held by the Authority.  
  6. In the circumstances, the Commissioner understands why the Authority responded under the UK GDPR/DPA 2018 solely.  However, given that the Applicant’s request met all the requirements of section 8(1) of FOISA, and sought information which extended beyond his own personal data (namely information relating to his deceased father), the Authority had a duty to provide the Applicant with a response which complied with section 16 of FOISA.
  7. Section 16(1) of FOISA states that where an authority holds information which is subject to a request under section 1(1) of FOISA, and which it intends to withhold under any exemption, the authority must give the applicant notice in writing to the effect that the information is held and specify which exemption it considers applies to the information (with reasons).
  8. Section 16(6) of FOISA also makes it clear that a notice in terms of section 16(1) is subject to section 19 of FOISA, which requires the authority to include details of their right to seek a review and to apply to the Commissioner.
  9. The Commissioner notes that (although it held information falling within the scope of the request) the Authority’s response to the Applicant’s request for information did not comply with the requirements of section 16(1) and section 19 of FOISA.  It did not specify which exemption(s) in FOISA permitted it to withhold the information under FOISA (and information relating to a deceased person clearly needs to be approached under FOISA in the same way as any other recorded information) and, although it provided details of appeal rights, these related to the Applicant’s rights under the UK GDPR/DPA 2018.
  10. In conclusion, the Commissioner finds that the Authority failed to comply with the technical requirements of sections 16 and 19 of FOISA, as outlined above, in responding to the Applicant’s request for information.
  11. In the circumstances, the Commissioner requires the Authority to issue a revised review outcome (in terms of section 21 of FOISA) in response to the Applicant’s request.
  12. For the avoidance of doubt, the Authority’s revised review outcome must give the Applicant notice in writing to the effect that the information is held and, if it intends to withhold it, to specify which exemption(s) it considers applies to the information (with reasons).

Decision 

The Commissioner finds that the Authority failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant by failing to provide a refusal notice under section 16(1) of FOISA and by failing to inform the Applicant of his right to request a review and appeal to the Commissioner, as required by section 19 of FOISA.

The Commissioner therefore requires the Authority to reconsider the request under FOISA, consider for disclosure under FOISA any information falling within the scope of the request and issue the Applicant with a review outcome (in terms of section 21 of FOISA). The review outcome must give the Applicant notice in writing to the effect that the information is held and, if it intends to withhold it, to specify which exemption(s) it considers applies, with reasons. 

The Authority is required to comply by 5 September 2025.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement 

If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Authority has failed to comply.  The Court has the right to inquire into the matter and may deal with the Authority as if it had committed a contempt of court.

 

Euan McCulloch 

Head of Enforcement 


22 July 2025