Home Decisions

Decision 189/2025

Decision 189/2025: Information relating to investigation of a complaint

 

Authority: Greater Glasgow and Clyde Health Board
Case Ref: 202300151
 

Summary

The Applicant asked the Authority for all correspondence between staff members in relation to a complaint, and investigation around a complaint the Applicant made relating his daughter (the true Applicant, or data subject).  The Authority withheld all information requested on the grounds that it was the true Applicant’s personal data.

The Commissioner investigated and found that the Authority was entitled to withhold the personal information requested.  However, the Commissioner also found that the Authority failed to comply with the Applicant’s requirement for review within the timescale laid down by section 21(1) of FOISA.  

 

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(2)(e)(i) (Effect of exemptions); 38(1)(a) (2A), (5) (definitions of “the data protection principles”, “data subject”, “personal data” and “the UK GDPR”) (Personal information); 47(1) and (2) (Application for decision by Commissioner).

United Kingdom General Data Protection Regulation (the UK GDPR) articles 4(1) (definition of “personal data”) (Definitions) and 15 (Right of access by the data subject).

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3) and (5) (Terms relating to the processing of personal data).

 

Background

  1. On 11 October 2022, the Applicant made a request for information to the Authority.  He asked for the following:

    i. I wish copies of all electronic communication (e-mail, MS Teams etc) and all hard copies (notes from meetings, notes made from telephone calls) in relation to the following complaint reference (complaint reference number).  Inclusive, but not exhaustive, from [named] Complaints Manager and or any of the Complaints team, Senior Clinical Management Team and Management Representatives. (Whereby any of the following is noted: - reference [complaint reference number and name of third-party data subject] or abbreviations of this name / CHI number of [name of data subject] / referral reference number). 

    ii. I wish copies of all electronic communication (e-mail, MS Teams etc) and all hard copies (notes from meetings, notes made from telephone calls) in relation to correspondence from [named] Director – Women & Children’s Directorate to Complaints Manager and or any of the Complaints Team. (Whereby any of the following is noted: - reference (reference number) / [data subject] or abbreviations of this name / CHI number of [data subject]/referral reference number).  This is to include his approval of the investigation and authorise for release of response letter pertaining to reference (reference number).

    iii. I wish copies of all electronic communication (e-mail, MS Teams etc) and all hard copies (notes from meetings, notes made from telephone calls) in relation to the vetting of the referral of [data subject] on the 19/08/2022 from any Senior Clinical Management Team and Management Representatives or those involved directly with the referral process. Whereby any of the following is noted: - reference (reference number)/[data subject] or abbreviations of this name / CHI number of [data subject] / referral reference number). Please note, I am not asking for Health/Medical Records.

    iv. I wish, as part of the NHS GG&C referral guidelines, wish to know under which one of the ‘six points’ of reasons why the Royal Hospital for Children did not accept the referral of [data subject]. (Paediatric for Healthcare Professionals) Outpatient referrals (scot.nhs.uk). Whereby any of the following is noted: - [data subject] or abbreviations of this name / CHI number of [data subject]/referral reference number/GP [name of surgery]).  Please note, I am not asking for Health/Medical Records.

  2. The Authority responded on 4 November 2022.  The Authority confirmed that the information requested was held but that under FOISA it is exempt in its entirety as third-party personal data, applying section 38(1)(b). The Authority stated:

    “I acknowledge that you are not asking for health or medical records, but personal information of individuals is not held exclusively in health or medical records.  In this case the information relating to a complaint, the vetting of a referral, and the reasons why the referral was not accepted, all constitute personal data of an individual.  This information would fall within the definition of “data” as set out in data protection legislation.  In addition, the information would fall within one of the special categories of personal data, as it reveals information about an individual’s health.  Personal data is exempt from disclosure if disclosure would contravene any of the data protection principles in the UK GDPR and in the DPA 2018. This exemption is absolute, so we are not required to consider the public interest test.”

  3. On 4 November 2022, the Applicant wrote to the Authority requesting a review of its decision. The Applicant stated that he was dissatisfied with the decision for the following reasons:

  • The time taken by the Authority to issue a response applying a ”general exemption” to all four questions. 

  • The Authority’s failure to provide information in response to his general request in part IV where he asked it to specify which of the six reasons given in the Outpatients referrals for Paediatrics for Healthcare Professionals the Royal Hospital for Children relied upon for not accepting the urgent referral.   

  • His view that the Authority could have disclosed to him information held which would fulfil parts I, II or III of the request, subject to redaction of any patient identifiable information.   

  • His recognition of the statement made by the Authority in its initial response where it said: 
    "I note that you state that you are not asking for Health/Medical records, but I should let you know that personal information is generally exempt from being disclosed under FOI legislation. This is because any information released under FOI has the effect of being made publicly available and theoretically could then be made available to anyone. It is therefore unlikely that the information you request will be provided under FOI.”

      He noted that he never intended to make the information released to him publicly available and his relationship with the third party.

  • The lack of clarity over whether, in relation to part II of his request, the response was actually reviewed, agreed and authorised by the named person and that they were content with the result of the complaint and the urgent referral being declined.

  1. The Authority notified the Applicant of the outcome of its review on 31 January 2023, which was outwith the timescales for a review response to be issued.
     
  2. The Authority acknowledged that the response could have been more forthcoming but also that FOISA provides statutory deadlines, which they met, responding within the 20 working days timescale for the initial request.  The review also acknowledged that the Applicant was advised of how personal data was handled under FOISA and that the Applicant was advised of an alternative process for accessing this type of information, by submitting a Subject Access Request, as well as making an offer for the Applicant to discuss the request with a Service Manager.

  3. The Authority also offered an alternative exemption for the information being withheld, stating that: 

    “…the Review has considered the guidance available on the circumstances where a third party is acting on behalf of a data subject.  This scenario is covered by exemption 38(1)(a) rather than (b).  Under Section 38(1)(a), if an applicant requests their own personal data under FOISA it is exempt from disclosure.  This is because the most appropriate route for access to personal data rests with Article 15 of the UK GDPR and section 45 of the Data Protection Act (2018).  Disclosing personal data under data protection legislation, rather than FOISA, ensures that it is only disclosed to the data subject and it is kept private.

    The same is true where someone asks for personal data under FOISA on behalf of someone else (e.g. a parent on behalf of a child).  This will be exempt from disclosure under Section 38(1)(a).  FOISA requires the applicant to be issued with a section 16 refusal notice.  It is also good practice under section 15 to advise the applicant to instead make a Subject Access Request (SAR) under data protection legislation whereby a Public Authority can take steps to ensure that the requestor is acting on behalf of the data subject by way of mandate from the person on behalf of whom the request is being made.”

    The Review concluded that the exemption of section 38(1)(b) was not correct; the conclusion does not directly state that the information is therefore being withheld under section 38(1)(a) as an alternative, but this appears to be the logical implication, given the quote above.  The Authority reiterated that the best way to access the information would be to submit a SAR and a signed mandate from the third party.

  4. On 13 February 2023, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  The Applicant stated he was dissatisfied with the outcome of the Authority’s review because he did not agree with the information being withheld and did not agree with the exemption applied.  He also stated that the review response was outwith statutory timescales and that not all of his questions were addressed separately.

Investigation

  1. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
  2. On 14 February 2023, and in line with section 49(3)(a) of FOISA, the Commissioner gave the Authority notice in writing of the application and invited its comments.
  3. The Authority was also asked to send the Commissioner the information withheld from the Applicant. The Authority provided the information along with its comments.
  4. The case was subsequently allocated to an investigating officer.
  5. Following consideration of the comments provided by the Authority along with the withheld information, the investigating officer contacted the Authority again to seek further comments and submissions as to which exemption in FOISA the Authority was relying on to withhold information from the Applicant and why it considered this to be applicable.

Commissioner’s analysis and findings

  1. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority. 

Section 38(1)(a) – Personal information (requesting data on behalf of another)

  1. The Authority confirmed to the Commissioner in its submissions that it was relying on the exemption in section 38(1)(a) for withholding information from the Applicant.
  2. Section 38(1)(a) of FOISA contains an absolute exemption in relation to personal data of which an applicant is the data subject.  The fact that it is absolute means that it is not subject to the public interest test set out in section 2(1) of FOISA.
  3. This exemption exists under FOISA because individuals have a separate right to make a request for their own personal data under the UK General Data Protection Regulation (UK GDPR).  This route is more appropriate for individuals accessing their personal data as it ensures that it is disclosed only to the individual.
  4. The Commissioners guidance[1] states that the exemption in section 38(1)(a) will apply if a request is made for a third party’s personal data by an individual acting on behalf of that third party.  (For example, where a parent makes a request on behalf of a young child or a solicitor makes a request on behalf of their client.)
  5. Authorities should take appropriate steps to confirm that the requester is acting on behalf of the data subject.  This might include asking to be provided with a mandate from the person on whose behalf the request is being made.
  6. In this case the Authority took the position that the Applicant was requesting information on behalf of a third party (his child) and were satisfied this was the case because of the complaints process, in which a mandate was supplied confirming the relationship between the Applicant and the third party.
  7. The Authority made attempts to advise the Applicant throughout the process that a more appropriate route to access this type of information would be to submit a Subject Access Request, allowing it to be handled fully under UK GDPR and DPA 2018.
  8. Section 38(1)(a) of FOISA does not deny individuals a right to access personal information on behalf of a third party but ensures that the right is exercised under the correct legislation (the UK GDPR) and not under FOISA.
  9. Personal data is defined in section 3(2) of the DPA 2018 which, read with section 3(3), incorporates the definition of personal data in Article 4(1) of the UK GDPR:

"… any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".

  1. The Commissioner has carefully considered the information withheld under section 38(1)(a) of FOISA.  It is apparent that the subject matter of the request and the withheld information relate to a third party and their special category data (the true Applicant).  It is also apparent that the true Applicant could be identified and have other sensitive personal data disclosed from the information withheld under section 38(1)(a) of FOISA.
  2. The Commissioner therefore considers that the information withheld under section 38(1)(a) of FOISA is the personal data and special category data of the true Applicant (in this case a third party) and can therefore be withheld under this exemption. 

Timescales

Section 21(1) of FOISA

  1.    Section 21(1) of FOISA gives Scottish public authorities a maximum of 20 working days following the date of receipt of the requirement to comply with a requirement for review.  This is subject to qualifications which are not relevant in this case.

  2.    As noted above, the Applicant submitted his requirement for review to the Authority on 4 November 2022.  The Authority subsequently responded to this on 31 January 2023.

  3.    It is a matter of fact that the Authority did not provide a response to the Applicant’s requirement for review within 20 working days, so the Commissioner finds that it failed to comply with section 21(1) of FOISA.

  4.    As the Authority responded to the Applicant’s requirement for review on 31 January 2023, the Commissioner does not require it to take any further action in relation to the Applicant’s application.

  5.    The Commissioner notes that the Authority acknowledged its response to the Applicant’s requirement for review exceeded the statutory timescale and apologised to the Applicant for its failure. However, the Commissioner also notes that no explanation was ever provided for the delay, either to the Applicant or to the Commissioner.

Content of response to request for review

  1. In his application, the Applicant expressed dissatisfaction that the Authority failed to address each of the questions raised in his requirement for review separately.

  2. In response to this concern, the Authority recognised that it may have been more helpful to the Applicant for it to respond to each question in turn. 

  3. Having considered the content of the response to the requirement for review provided to the Applicant, the Commissioner agrees that it would have been helpful if the Authority had responded to each of the Applicant’s reasons of dissatisfaction in turn and provided a clear explanation of its position in respect of each part.

  4. That said, having read the response to the requirement for review, it is apparent from the remarks against point 2 that the Authority’s review considered its decision to exempt information covered by all parts of the request under section 38(1)(b) of FOISA.  The Authority then went on to offer justification for its application of this exemption and its view that section 38(1)(a) was more relevant.  The Commissioner also notes that the Authority also responded to the Applicant’s concern over the time taken to respond to his information request.  The Commissioner therefore accepts that whilst the response could have been structured in a more helpful and clear manner, it does convey to the Applicant the Authority’s position in respect of the matters of dissatisfaction raised. 

Decision 

The Commissioner finds that the Authority partially failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in dealing with the information request made by the Applicant.  

The Commissioner finds that the Authority complied with section 1 of FOISA by correctly relying on the exemption in section 38(1)(a) for withholding information from the Applicant.

However, the Commissioner finds that the Authority failed to respond to the Applicant’s requirement for review within the timescale laid down by section 21(1) of FOISA.  

As the Authority did provide a response to the Applicant’s review response, albeit outwith the statutory timescale, he does not require it to take any action in relation to this breach in respect of this application. 

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

 

Euan McCulloch 

Head of Enforcement 


30 July 2025