Skip to content
Contents

GIDS Cass Review: Audit on Characteristics of 40 Detransitioned Patients

Reference: 24-25017

Date response sent: 01/07/2024

Details of enquiry

Thank you for replying, and especially for giving my request your detailed consideration well within the 20 day limit. It is really impressive and I am grateful to you.

May I ask you please to undertake an internal review of your response as I don’t think that s.40(2) was engaged correctly. While I accept the Trust’s position that this audit contains personal information, I believe that the audit could be anonymised, meaning that it is no longer personal information under the terms of s.40(2) / GDPR.

Anonymisation

I don’t think the Trust investigated the potential for this information to be anonymised. I believe that for three reasons. Firstly, the Trust’s statements about whether the information could be anonymised were inconsistent. On the one hand, the Trust said that anonymising the data would render it meaningless (“Redaction of these details would thereby render the remaining text as meaningless.”). But on the other hand, redaction would permit individuals to be identified (“even if redacted, for low numbers, and/or personal experiences/circumstances the facts mentioned could lead to the identification of patients…”). This left me thinking that the Trust had not thought deeply about the question.

Secondly, even in its reply to me, the Trust already disclosed much meaningful information about the audit, making me think that it is amply possible to disclose material that is meaningful without compromising patient rights. Specifically, the Trust told me that the data was organised into two cohorts, representing patients from 2010-15 and 2017-20; that there were 21 and 43 patients in each cohort; and that there is a “mental illness/autism prevalence” in the group. The Trust further stated that it knows that former patients, described in the audit, are active on social media, and that their identities could be established by triangulating data from social media with audit data. It’s worth mentioning that, although the Trust mentioned (incorrectly, as I maintain) that the audit would be rendered meaningless by anonymisation, under FOI it is not for the Trust to judge the meaning of information it releases. My sense is that there is ample meaning to be drawn from an anonymised disclosure of this audit.

Finally, the Trust made a related legal point about patients’ right to confidentiality that made me think that perhaps there was some confusion about the definition of ‘personal information’. The Trust said: “Redacting or masking of these characteristics and details would not ensure the patients right to confidentiality”. However, once anonymised, this data ceases to be ‘personal data’ under GDPR and therefore it can be processed lawfully. Overall then there seemed to be confusion about the potential to anonymise and then release this audit.

The Trust can refer to Chapter 3 of the ICO’s guidance on anonymisation for guidance about how to approach it.

https://ico.org.uk/media/1061/anonymisation-code.pdf

Case Study 6 gives a practical example of anonymising qualitative data.

The ICO’s guidance on anonymisation (p.20) says:

“Even if a FOIA request is refused on section 40 (personal data) grounds, a more limited or possibly restricted form of disclosure might satisfy the requester. FOIA does not rule out this approach and it may help the requester if some anonymised data is released, rather than the request being turned down entirely on section 40 grounds.”

May I also draw your attention to ICO section 40 guidance:

“the test remains whether it is possible to identify a specific individual solely by relying on the data available. Identifying a pool that contains or may contain a person covered by the data is not sufficient. Saying that it is reasonably likely that someone is covered by the data is not sufficient. Still less is it sufficient to say that it is reasonably likely that a particular individual may be one of the pool.”

ICO guidance states:

“the fact that there is a very slight hypothetical possibility that someone might be able to reconstruct the data in such a way that the individual is identified is not necessarily sufficient to make the individual identifiable.”

Public Interest Test

You undertook a public interest test but s.40(2) is not subject to a public interest test if disclosure would not be permitted under the 2018 Data Protection Act. Even so, were a public interest test to be necessary, I would have said that the Trust didn’t describe the public interest in disclosure adequately. The Trust offered a generic rationale about transparency adn accountability, however the key point here is that disclosure would tend towards the safe care of the Trust’s patients. The care of detransitioned patients is legitimately a matter of public interest, as evidenced by the frequent reference to them in the final report of the independent Cass Review, including an outline description of the audit that’s the subject of my FOI request.

Lawfulness of the audit

In your reply, you say that “Whilst the audit was conducted by Trust staff, it was neither commissioned nor approved for any purposes by the Trust” and that the audit “was not commissioned, nor approved nor endorsed by the Trust.” You mention that patient data held by the Trust “would be used, only with their [ie patients’] permission, for very limited purposes”. I did not understand the relevance of the Trust’s remarks to my FOI request. If the Trust is telling me that its employees who did the audit obtained unauthorised access to the highly sensitive personal data of the Trust’s patients, and that they processed it unlawfully without consent, contrary to GDPR, then that would be a significant breach of data governance that I would expect the Trust to investigate. Otherwise, I’m not sure what the relevance of those remarks is: the audit was done by Trust employees during the course of the working day, and using tools and data provided by the Trust, so the audit is the Trust’s product.

Misinterpretation

You mention that the audit is liable to misinterpretation by members of the public. This is not a consideration that FOIA is concerned with. You mention your belief that the audit, if disclosed, would be subject to the same “intense world-wide publicity” as the final Cass report was; that is fairly obviously an overstatement.

Response sent

FOIA Internal Review

FOIA Reference Number: 24-25017 GIDS Cass Review:  Audit on Characteristics of 40 Detrans Pts

 

Summary of original request for information: The request was submitted on 10th April 2024. It related to an audit undertaken at the Tavistock and Portman Gender Identity Services on the characteristics of individuals who had detransitioned. This audit had been referred to in The Cass Review of gender Identity services for children and young people in the Trust.

The request was for the Tavistock and Portman NHS Trust (henceforth referred to as ‘The Trust’) to confirm that it held this information, and for this information to be provided to the requestor.
Details of the original refusal / response (i.e. the exemptions used and the reasons for the decision, including Public interest test, if appropriate.) The Trust responded on 7th May 2024.

The Trust confirmed that it held the information.

The Trust stated that it was withholding the audit report in its entirety due to the nature and level of personal details contained within it and had engaged exemption 40(2) of FOIA – information which constitutes the personal data of others, where it would not be permitted under the Data Protection Act 2018.

The Trust cited the fact that the sample group of patients within scope of the audit was small, thus increasing the likelihood of some or all personal characteristics and circumstances of individuals being recognizable by the patients themselves and/or others. The Trust were of the view that redacting or masking of these characteristics and details would not ensure the patients right to confidentiality. Evidence was provided in terms of the number of patients reviewed in the audit.

The Trust were of the opinion that these small numbers rendered the identification of patients highly likely by others who would have heard/read about them, and that such a disclosure was likely to cause significant distress and anguish to this group of patients, should they recognize themselves during, what would have been, a stressful and vulnerable period in their lives.

The Trust also stated that anecdotal evidence indicated that cases of patients who detransitioned, being relatively few in number, tend to attract attention and that these details are often spread by word of mouth and some media outlets.

The Trust conducted a Public Interest test, to weigh up the prejudice (legal definition) of the harm that would be caused by releasing the report, against the public interest.

Arguments identified In favour of disclosing the audit were:

a.         The recent publication of the Cass Review had attracted worldwide attention, and a public release of an audit to which it refers, on para 15.55 on p.189 would increase the public’s awareness of gender de-transition issues experienced by patients.

b.         There is always some legitimate public interest in the disclosure of any information held by public authorities, and this helps to promote transparency and accountability.

c.         The release of factual experiences of detransitioners’ reviewed by two experienced gender Specialists and Consultant Psychiatrists, would provide the public with new or additional information and a new dimension to the data already publicly available.

The arguments in favour of withholding the audit were that the Trust considered all of the data disclosed in the audit to be personal data belonging to third parties, and therefore exempt from disclosure. The Trust were of the view that the report had been written in such a way that, even if redacted, for low numbers, and/or personal experiences/circumstances the facts mentioned could lead to the identification of patients whose records had been referenced, particularly when combined with other gender information that is already in the public domain. It stated that redaction of these details would thereby render the remaining text as meaningless.

The Trust then went on to state:

a)         In recent years, a lot of information about GIDS and the adult GIC service had been released into the public domain, via a high number of FOI requests some of which has led to headlines and publication via the media. Given that the Cass Review has received intense world-wide publicity, the Trust therefore considered it reasonable to anticipate that if released, this audit would receive a similar level media coverage, but would be misunderstood by the public at large, as an authoritative and representative audit, something which it has failed to achieve. The risk of misleading the public by its release was therefore very high.

b)         All Tavistock and Portman NHS Foundation Trust patients had been assured that their records would be treated in the ‘strictest of confidence’ and have any reasonable expectations that their details would not be placed into the public domain, albeit anonymised and that they would be used, only with their permission, for very limited purposes.

c)         Whilst the audit had been conducted by Trust staff, it was neither commissioned nor approved for any purposes by the Trust, mainly due to the small cohort group sizes. Whilst this alone did not exempt the audit from release, it was highly likely that any release would be misleading and misinterpreted by the public at large as a Trust endorsed audit, whereas the reality was that it was not commissioned, nor approved nor endorsed by the Trust.

d)         In addition, when reviewed against the mental illness/autism prevalence cited in the small sample group, there was a significant risk that it would be person identifiable, should it be released into the public domain. As stated above, this would, (most particularly in view of the world-wide reactions to the Cass Review), trigger unwanted publicity and cause distress and/or harm to this sample group of service users, leading to the identification of those whose records had been referenced, and rendering them recognizable by friends, family, or other interested or well informed parties.

e)         The audit quoted low percentages of regret from small sample groups meaning that individuals who regretted their transition could be recognized by others from their quoted characteristics, experiences, and dates of audit.

f)          a determined individual with other knowledge of gender transition matters may be able to triangulate the specific details within the audit with other data already in the public domain, or data already known to them to identify the individuals involved, via the given personal data.

g)         Guidance provided by the Information Commissioner’s Offices noted that any consideration of data release needs to take into account that disclosure under FOIA involves disclosure to the world at large, ie into the public domain.

Having weighed up the balance of public interest in releasing or withholding the requested audit report, the Trust concluded that, on balance, the public interest in withholding the audit outweighs the public interest of its release.

The Trust therefore withheld the audit based on its engagement of exemption set out in section 40(2) of FOIA – information which constitutes the personal data of others, where it would not be permitted under the Data Protection Act 2018 and the outcome of the public interest test.
Reason given by the requestor for requesting a review:

 

 A review was requested on the grounds that the requestor did not think that s.40(2) was engaged correctly. The requestor accepted the Trust’s position that the audit contained personal information. However, they believed that the audit could be anonymised, so that it no longer contained personal information under the terms of s.40(2) / GDPR.

Anonymisation

The requestor believed that the Trusts statements on anonymisation had been inconsistent, as the Trust had stated that redaction of details would render the remaining text meaningless but had also stated that redaction would permit individuals to be identified. The requester argued that the Trust had already disclosed meaningful information about the audit in its response, and therefore it was possible to disclose meaningful data without compromising patient identity. Furthermore, the requestor claimed that under FOI it was not for the Trust to judge the meaning of information it releases. The requestor challenged the Trust’s view that the data was personal data, claiming that once anonymised it ceased to be personal data under GDPR, and therefore could be processed lawfully.

Public Interest test

The requestor questioned the use of a public interest test, stating that s.40(2) is not subject to a public interest test if disclosure would not be permitted under the 2018 Data Protection Act.

The requestor went on to state that regardless of the necessity of the test, The Trust did not describe the public interest in disclosure adequately. The requestor claimed that the key point was that disclosure would tend towards the safe care of the Trust’s patients, which was legitimately a matter of public interest, as evidenced by the frequent references to detransitioned patients in the Cass Review.

Relevance of lack of Trust authorisation of the audit

The requestor questioned the relevance of the statements by the Trust that the audit “was not commissioned, nor approved nor endorsed by the Trust” and “would be used, only with their [ie patients’] permission, for very limited purposes”. The requestor was of the view that as the audit was completed by Trust employees during the course of the working day, and using tools and data provided by the Trust, it was the Trust’s product.

Misinterpretation

The requestor challenged the relevance of the Trust’s argument that the data was open to misinterpretation by members of the public, stating that this was ‘not a consideration that FOIA is concerned with’.

The requestor contested the Trust’s view that the audit, if disclosed, would be subject to the same “intense world-wide publicity” as the final Cass report, describing it as ‘obviously …an overstatement’.

 

Date review requested: Saturday 1st June 2024
Date by which decision should be sent to requester: Tuesday 2nd July 2024

 

Any additional information: (include any information, guidance, changes of circumstances, etc.)  

 

Internal Review conducted by: Dr Myooran Canagaratnam, Consultant Psychiatrist

 

The reviewing officer should consider the complaint relating to the information request under the FOIA, the way in which it was handled and the final decision.

  1. Disclose the information as requested
  2. Partial disclosure of the requested information
  3. Uphold the decision not to disclose the information made on [insert date]
Decision made: (if the complaint relates to non-disclosure of requested information. Please include the rationale behind the decision) Uphold the decision not to disclose the information made on 7th May 2024  
Issues considered as part of the review: Possibility of disclosing anonymised data

The audit consists of a report of the personal characteristics, conditions and experiences, of a small group of patients who have detransitioned. Disclosing these details could lead to the identification of patients, either directly or indirectly, though deduction by those who know (of) them, and a piecing together of random facts that are freely available within the public domain by determined individuals.  As such it is not possible to anonymise this data, and exemption 40(2) does apply.

If these details were redacted, then this would remove the substance of the report. The Trust has shared in its response summary data of the number of patients included in the audit in different cohorts. The Trust is not able to disclose any further data from the report for the reasons above.

Use of Public Interest Test

As the requester has stated, a Public Interest Test was not necessary as Exemption 40(2) applies.   The Trust actually conducted a Balancing Test, mistakenly referred to, in its response, as a Public Interest Test.  The Balancing Test weighed up whether the legitimate interests served by disclosure outweigh the interests or fundamental rights and freedoms of the data subject/s which require the protection of personal data. Part three: The first condition – would disclosure contravene the data protection principles? | ICO

Based on telephone advice received from the ICO by the reviewer, a Balancing Test was not necessary in this case.

Relevance of lack of Trust authorisation of the audit and the potential for Misinterpretation

The audit report was not written with full compliance with established norms for anonymisation of data subjects, and revealed patients’ characteristics, conditions, and experiences.

As soon as the audit was brought to the Trust’s attention it was immediately identified to contain too much patient identifiable information, and that the cohort size was too small to mask individuals and draw generic conclusions.

The lack of authorisation on these grounds and potential for misinterpretation were referred to in arguments against disclosure in the Balancing Test (misnamed as Public Interest test). Whilst this test was actually not necessary, the fact that the audit was not authorised on these grounds highlights that it contains patient identifiable data, and therefore exempt from disclosure under Section 40(2) of the Freedom of Information Act.   The potential for misinterpretation is not the core reason for withholding the audit in this case. However, it does indicate the Trust’s broader concerns regarding the risk of sharing the data, beyond the already stated concerns regarding breaching confidentiality and the distress it will cause patients.

  
Consultation process FOI request for Internal Review  

 

 

Back to top