A survey conducted in April and May 2023 revealed that around ** percent of the companies that do business in the European Union (EU) and the United Kingdom (UK) found it challenging to adapt to new or changing requirements of the General Data Protection Regulation (GDPR) or Data Protection Act 2018 (DPA). A further ** percent of the survey respondents said it was challenging to increase the budget because of the changes in the data privacy laws.

As of February 2025, the largest fine issued for violation of the General Data Protection Regulation (GDPR) in the United Kingdom (UK) was more than 22 million euros, received by British Airways in October 2020. Another fine received by Marriott International Inc. in the same month was the second-highest in the UK and amounted to over 20 million euros.

Whilst this some of the requested information is held by the NHSBSA, we have exempted some of the figures under section 40(2) subsections 2 and 3(a) of the FOIA because it is personal data of applicants to the VDPS. This is because it would breach the first data protection principle as: a - it is not fair to disclose individual’s personal details to the world and is likely to cause damage or distress. b - these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the individual. https://www.legislation.gov.uk/ukpga/2000/36/section/40 Information Commissioner Office (ICO) Guidance is that information is personal data if it ‘relates to’ an ‘identifiable individual’ regulated by the UK General Data Protection Regulation (UK GDPR) or the Data Protection Act 2018. The information relates to personal data of the VDPS claimants and is special category data in the form of health information. As a result, the claimants could be identified, when combined with other information that may be in the public domain or reasonably available. Online communities exist for those adversely affected by vaccines they have received. This further increases the likelihood that those may be identified by disclosure of this information. Section 40(2) is an absolute, prejudice-based exemption and therefore is exempt if disclosure would contravene any of the data protection principles. To comply with the lawfulness, fairness, and transparency data protection principle, we either need the consent of the data subject(s) or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet the legitimate interest and finally, the disclosure must not cause unwarranted harm. The NHSBSA has considered this and does not have the consent of the data subjects to release this information and believes that it would not be possible to obtain consent that meets the threshold in Article 7 of the UK GDPR. The NHSBSA acknowledges that you have a legitimate interest in disclosure of the information to provide the full picture of data held by the NHSBSA; however, we have concluded that disclosure of the requested information would cause unwarranted harm and therefore, section 40(2) is engaged. This is because there is a reasonable expectation that patient data processed by the NHSBSA remains confidential, especially special category data. There are no reasonable alternative measures that could meet the legitimate aim. As the information is highly confidential and sensitive, it outweighs the legitimate interest in the information. Section 41 FOIA This information is also exempt under section 41 of the FOIA (information provided in confidence). This is because the requested information was provided to the NHSBSA in confidence by a third party - another individual, company, public authority or any other type of legal entity. In this instance, details have been provided by the claimants. For Section 41 to be engaged, the following criteria must be fulfilled:

A data protection impact assessment (DPIA) is a process to identify privacy risks to individuals in the collection, use, storing, and disclosure of information. This allows Camden to identify problems so that risks can be removed or reduced to acceptable levels. It also reduces privacy breaches and complaints which can damage the Council’s reputation or enforcement action against it by the Information Commissioner (the regulator). We publish these as a dataset in accordance with the Council's Data Charter and also the GDPR/Data Protection Act 2018.

Een Data Protection Impact Assessment (DPIA) is een van de manieren om erachter te komen welke privacyrisico’s mensen lopen wanneer informatie over hen wordt verzameld, gebruikt, opgeslagen of gedeeld. Dit helpt de Londense gemeente Barnet problemen te vinden zodat risico’s kunnen worden weggenomen of verlaagd tot een aanvaardbaar niveau. Het bezuinigt ook op inbreuken op de privacy en klachten die de reputatie van de Raad kunnen schaden of leiden tot actie van de Information Commissioner (de waakhond van de regering). De London Borough of Barnet maakt DPIA’s openbaar in zijn Data Charter en de Data Protection Act 2018 en UK GDPR. Een Data Protection Impact Assessment (DPIA) is een van de manieren om erachter te komen welke privacyrisico’s mensen lopen wanneer informatie over hen wordt verzameld, gebruikt, opgeslagen of gedeeld. Dit helpt de Londense gemeente Barnet problemen te vinden zodat risico’s kunnen worden weggenomen of verlaagd tot een aanvaardbaar niveau. Het bezuinigt ook op inbreuken op de privacy en klachten die de reputatie van de Raad kunnen schaden of leiden tot actie van de Information Commissioner (de waakhond van de regering).

De London Borough of Barnet maakt DPIA’s openbaar in zijn Data Charter en de Data Protection Act 2018 en UK GDPR.

I can confirm that we do hold the requested information however, we consider the name and General Medical Council (GMC) number to be personal data under section 3(2) of the Data Protection Act 2018. Disclosure of the medical assessor’s name or GMC number would result in the identification of the medical assessor when entered into the GMC public register. As the requested information would allow a medical assessor to be identified, I consider this information is exempt under section 40(2) and 40(3A)(a) of the FOIA (personal information). This is because it would breach the first data protection principle as: a) it is not fair to disclose medical assessors’ personal details to the world and is likely to cause damage or distress. b) these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the medical assessor. For disclosure to comply with the lawfulness, fairness, and transparency principle, we either need the consent of the medical assessor or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet that interest and finally, the disclosure must not cause unwarranted harm. In this case we do not have the consent of the medical assessor to disclose their personal information. This means that the NHSBSA is therefore required to conduct a balancing exercise between the legitimate interest in disclosing the information against the rights and freedoms of the medical assessor. Having reviewed the information you have provided I acknowledge that you have a legitimate interest in disclosure of the information. However, I agree with the previous decision that disclosure of the requested information would cause unwarranted harm. Whilst I acknowledge your comments on this, disclosure under FOIA is to the world and therefore the NHSBSA has to consider the overall impact of the disclosure and its duty of care. The expectation of the medical assessors is that they will remain anonymous and will therefore not be subject to contact or pressure from claimants or campaigning groups. Given the certainty that the name and/or GMC number will identify the medical assessor there is a reasonable expectation that this information would not be disclosed under the FOIA. Disclosing this information would be unfair and as such this would breach the UK General Data Protection Regulation first data protection principle. Please see the following link to view the section 40 exemption in full - https://www.legislation.gov.uk/ukpga/2000/36/section/40

I can confirm that we do hold information on the names and General Medical Council (GMC) numbers for independent medical assessors. Please note that this response does not relate to a specific claim or claimant. The request is being answered more generally given requests under FOIA are requester-blind, that is to say the identity of the requester is not taken into account when considering a request for information under FOIA. We consider the name and GMC number to be personal data under the Data Protection Act 2018. Disclosure of their names or GMC numbers would result in their identification when entered into the GMC public register. Please be aware that I have decided not to release the names and GMC numbers of the independent medical assessors as this information falls under the exemption in section 40 subsections 2 and 3(A)(a) of the FOIA. As the requested information would allow an independent medical assessor to be identified, I consider this information is exempt. This is because it would breach the first data protection principle as: A. it is not fair to disclose their personal details to the world and is likely to cause damage or distress. B. these details are not of sufficient interest to the public to warrant an intrusion into their privacy. The requested information is exempt if disclosure would contravene any of the data protection principles. For disclosure to comply with the lawfulness, fairness, and transparency principle, we either need the consent of the data subject(s) or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet the legitimate interest and finally, the disclosure must not cause unwarranted harm. This means that the NHSBSA is therefore required to conduct a balancing exercise between the legitimate interest of the applicant in disclosure against the rights and freedoms of the independent medical assessor. While I acknowledge that you have a legitimate interest in disclosure of the information, the disclosure of the requested information would cause unwarranted harm. Disclosure under FOIA is to the world and therefore the NHSBSA has to consider the overall impact of the disclosure and its duty of care. The expectation of the independent medical assessors is that they will remain anonymous and will therefore not be subject to contact or pressure from claimants or campaigning groups. Given the certainty that the name and/or GMC number will identify them, there is a reasonable expectation that this information will not be disclosed under the FOIA. Disclosing this information would be unfair and as such this would breach the UK General Data Protection Regulation first data protection principle. Please see the following link to view the section 40 exemption in full: https://www.legislation.gov.uk/ukpga/2000/36/section/40 Qualifications and experience The NHSBSA does not hold information on the independent medical assessors' qualifications. This is because their medical qualifications and experience are the responsibility of the third-party medical assessment supplier. I hope, however, that the following information provides reassurance on this point: All claims are assessed by the independent medical assessment company with a consistent approach. Each case is considered on its own merits, by an experienced independent medical assessor. The contract with our supplier does not require them to tell us details of their qualifications or their experience.

In September 2024, the Irish Data Protection Commission fined Meta Ireland 91 million euros after passwords of social media users were stored in 'plaintext' on Meta's internal systems rather than with cryptographic protection or encryption. In May 2023, the EU fined Meta 1.2 billion euros for violating laws on digital privacy and putting the data of EU citizens at risk through Facebook's EU-U.S. data transfers. European privacy legislation is seen as being far stricter than American privacy law, and the sending of EU citizens’ data to the United States resulted in the record breaking penalty being issued to the tech giant. In January 2023, after it was discovered that Meta Platforms had improperly required that users of Facebook, Instagram, and WhatsApp accept personalized adverts to use the platforms, the company was issued a 390 million euro fine by the European Commission. EU regulators claim that the social media giant broke the General Data Protection Regulation (GDPR) by including the demand in its terms of service. In addition, Meta was fined 405 million euros by the Irish Data Protection Commission (DPC) in September 2022 for violating Instagram's children's privacy settings. In November 2022, the DPC fined Meta a further 265 million euros for failing to protect their users from data scraping. GDPR violations in 2022 Social media sites and companies are not the only types of online services upon which users' data can potentially be compromised. In 2022, the online service with the biggest fine for violating GDPR was e-commerce and digital powerhouse Amazon, which was issued a 746 million euro fine. Furthermore, in December 2021, Google was penalized 90 million euros for GDPR violations. What are the most common GDPR violations? Since GDPR went into effect in May 2018, fines have been imposed for a variety of reasons. As of June 2022, companies' non-compliance with general data processing principles accounted for the largest share of fines, resulting in over 845 million euros worth of penalties. Insufficient legal basis for data processing was the second most common violation, amounting to 447 million euros in fines.

Information relating to the independent medical assessor Response Names and GMC number I can confirm that we do hold this information relating to medical assessors. However, we consider the name and General Medical Council (GMC) number to be personal data under section 3(2) of the Data Protection Act 2018. Disclosure of the medical assessor’s name or GMC number would result in the identification of the medical assessor when entered into the GMC public register. https://www.gmc-uk.org/registration-and-licensing/our-registers Please be aware that I have decided not to release the names and GMC numbers of the medical assessors as this information falls under the exemption in section 40 subsections 2 and 3(A)(a) of the FOIA. As the requested information would allow a medical assessor to be identified, I consider this information is exempt. This is because it would breach the first data protection principle as: a. it is not fair to disclose medical assessors’ personal details to the world and is likely to cause damage or distress. b. these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the medical assessor. The requested information is exempt if disclosure would contravene any of the data protection principles. For disclosure to comply with the lawfulness, fairness, and transparency principle, we either need the consent of the data subject(s) or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet the legitimate interest and finally, the disclosure must not cause unwarranted harm. This means that the NHSBSA is therefore required to conduct a balancing exercise between the legitimate interest of the applicant in disclosure against the rights and freedoms of the medical assessor. While I acknowledge that you have a legitimate interest in disclosure of the information, the disclosure of the requested information would cause unwarranted harm. Disclosure under FOIA is to the world and therefore the NHSBSA has to consider the overall impact of the disclosure and its duty of care. The expectation of the medical assessors is that they will remain anonymous and will therefore not be subject to contact or pressure from claimants or campaigning groups. Given the certainty that the name and/or GMC number will identify the medical assessor there is a reasonable expectation that this information will not be disclosed under the FOIA. Disclosing this information would be unfair and as such this would breach the UK General Data Protection Regulation first data protection principle. Please see the following link to view the section 40 exemption in full: https://www.legislation.gov.uk/ukpga/2000/36/section/40 Qualifications and experience I have established that the NHSBSA does not hold this information. This is because the medical qualifications and experience of the medical assessors are the responsibility of the third-party medical assessment supplier, Crawford & Company. I hope however, that the following information provides reassurance on this point. All claims are assessed by the independent medical assessment supplier with a consistent approach. Each case is considered on its own merits, by an experienced independent medical assessor. The contract with our supplier does not require them to tell us details of the qualifications of the medical assessors or their experience. The contract does require that all assessments carried out are undertaken by suitably qualified and experienced registered medical practitioners. This includes being registered on the UK GMC register with a licence to practise. In addition, they must meet or exceed the following requirements. Medical assessors must: • be a registered medical practitioner with at least five years’ post graduate experience; and • have experience of the performance of medical and/or disability assessments, addressing questions of causation and impact in the context of legislative or policy requirements to assist the decision maker.

A dataset containing all requests under the Freedom of Information Act 2000 and Environmental Information Regulations 2004 recorded by the council in the 2016/17 financial year.

This dataset is updated on a monthly basis, one month in arrears.

Full requests and responses can be found on out Disclosure Log.

More information about the Act and Regulations can be found on our website.

Thank you for your request for information about the following: Request ‘The name or position of the medical assessor’ The NHS Business Services Authority (NHSBSA) received your request on 3 July 2025. We have handled your request under the Freedom of Information Act 2000 (FOIA). Our response I can confirm that the NHSBSA holds some of the information you have requested. Name(s) of the medical assessor Regarding the name of the assessor(s), I can confirm that this information is held by the NHSBSA as it is included in the medical report received from the medical assessment supplier. All medical assessors are UK based. The name and location of the medical assessor is redacted before this report is disclosed to the claimant or their representative. Please note that this response does not relate to any specific claim(s) or claimant as under FOIA the identity of the individual requesting this information is unknown. The identity of the requester is also not taken into account when considering a request for information under FOIA. We consider the name to be personal data under the Data Protection Act 2018. Disclosure of any individual’s name would result in their identification. Please be aware that I have decided not to release the names of the medical assessors as this information falls under the exemption (section 40 subsections 2 and 3(A)(a)) of the FOIA. As the requested information would allow an independent medical assessor to be identified, I consider this information is exempt. This is because it would breach the first data protection principle as: a) it is not fair to disclose medical assessors’ personal details due to the potential to cause damage or distress b) these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the medical assessor The requested information is exempt if disclosure contravenes any of the data protection principles. For disclosure to comply with the lawfulness, fairness, and transparency principle, we either need the consent of the data subject(s) or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet the legitimate interest and finally, the disclosure must not cause unwarranted harm. This means that the NHSBSA is therefore required to conduct a balancing exercise between the legitimate interest of the applicant in disclosure against the rights and freedoms of the medical assessor. While I acknowledge that you have a legitimate interest in disclosure of the information, the disclosure of the requested information would cause unwarranted harm. The expectation of the medical assessors is that they will remain anonymous and will therefore not be subject to contact or pressure from claimants or campaigning groups. Given the certainty that releasing the name of a medical assessor would identify them, there is a reasonable expectation that this information will not be disclosed under the FOIA. In addition, the medical assessor has not consented to this disclosure. Disclosing this information would be unfair and as such would breach the UK General Data Protection Regulation first data protection principle. Please see the following link to view the section 40 exemption in full: https://www.legislation.gov.uk/ukpga/2000/36/section/40 Position of the medical assessor I can confirm that the NHSBSA does not hold the requested information. The NHSBSA contracts a third-party supplier, Crawford and Company, to carry out medical assessments for the VDPS. The job role or position of the medical assessors is performed by Crawford and Company and not the NHSBSA. I hope, however, that the following information provides reassurance on this point. All claims are assessed by the independent medical assessment company with a consistent approach. Each case is considered on its own merits by an experienced medical assessor. The contract requires all assessments carried out are to be undertaken by suitably qualified and experienced Registered Medical Practitioners. This includes being registered on the UK General Medical Council with a licence to practise and meet or exceed the following requirements:

Thank you for your request for information about the following: Request ‘I wish to obtain the details if the medical assessor that reviewed my mother's claim..’ The NHS Business Services Authority (NHSBSA) received your request on 7 May 2025. We have handled your request under the Freedom of Information Act 2000 (FOIA). Our response Name(s) The following response does not relate to a specific claim or claimant. The request is being answered more generally given requests under FOIA are requester-blind, that is to say the identity of the requester is not taken into account when considering a request for information under FOIA. I can confirm that we do hold the names of the medical assessors however, we consider the names of the medical assessor to be personal data under the Data Protection Act 2018. Please be aware that I have decided not to release the names of the medical assessors as this information falls under the exemption in section 40 subsections 2 and 3(A)(a) of the FOIA. This is because disclosure of their names would result in their identification. As the requested information would allow a medical assessor to be identified, I consider this information is exempt. This is because it would breach the first data protection principle as: a) it is not fair to disclose their personal details to the world and is likely to cause damage or distress. b) these details are not of sufficient interest to the public to warrant an intrusion into their privacy. The requested information is exempt if disclosure would contravene any of the data protection principles. For disclosure to comply with the lawfulness, fairness, and transparency principle, we either need the consent of the data subject(s) or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet the legitimate interest and finally, the disclosure must not cause unwarranted harm. This means that the NHSBSA is therefore required to conduct a balancing exercise between the legitimate interest of the applicant in disclosure against the rights and freedoms of the medical assessor. While I acknowledge that you have a legitimate interest in disclosure of the information, the disclosure of the requested information would cause unwarranted harm. Disclosure under FOIA is to the world and therefore the NHSBSA has to consider the overall impact of the disclosure and its duty of care. The expectation of the medical assessors is that they will remain anonymous and will therefore not be subject to contact or pressure from claimants or campaigning groups. Given the certainty that the name and will identify them, there is a reasonable expectation that this information will not be disclosed under the FOIA. Disclosing this information would be unfair and as such this would breach the UK General Data Protection Regulation first data protection principle. Please see the following link to view the section 40 exemption in full: https://www.legislation.gov.uk/ukpga/2000/36/section/40 Qualifications or Declarations of Interest The NHSBSA does not hold information on the medical assessors' qualifications or declarations of interest. This is because their medical qualifications and experience are the responsibility of the third-party medical assessment supplier.

The name of the medical assessor for VDPS claim. Response I can confirm that we do hold this information relating to medical assessors; however, we are issuing a refusal notice under section 17 of the FOIA as we consider the name and General Medical Council (GMC) number to be personal data as defined under section 3(2) of the Data Protection Act 2018. Disclosure of the medical assessor’s name or GMC number would result in the identification of the medical assessor when entered into the GMC public register. Please be aware that I have decided not to release the names and GMC numbers of the medical assessors as this information falls under the exemption in section 40 subsections 2 and 3(A)(a) of the FOIA. As the requested information would allow a medical assessor to be identified, I consider this information is exempt. This is because it would breach the first data protection principle as: a. it is not fair to disclose medical assessors’ personal details to the world and is likely to cause damage or distress. b. these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the medical assessor. The requested information is exempt if disclosure would contravene any of the data protection principles. For disclosure to comply with the lawfulness, fairness, and transparency principle, we either need the consent of the data subject(s) or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet the legitimate interest and finally, the disclosure must not cause unwarranted harm. This means that the NHSBSA is therefore required to conduct a balancing exercise between the legitimate interest of the applicant in disclosure against the rights and freedoms of the medical assessor. While I acknowledge that you have a legitimate interest in disclosure of the information, the disclosure of the requested information would cause unwarranted harm. Disclosure under FOIA is to the world and therefore the NHSBSA must consider the overall impact of the disclosure and its duty of care. The expectation of the medical assessors is that they will remain anonymous and will therefore not be subject to contact or pressure from claimants or campaigning groups. Given the certainty that the name and/or GMC number will identify the medical assessor there is a reasonable expectation that this information will not be disclosed under the FOIA. Disclosing this information would be unfair and as such this would breach the UK General Data Protection Regulation first data protection principle.

This survey reports a range of experiences from 641 online sex workers selling sexual services via digital technologies during 2016/2017. The survey covers a range of topics including experiences at work, job satisfaction, types of online work, crimes experienced in the working context, relationships with the police and demographics of individuals doing online sex work. The BtG study found that the internet was of significant importance to sex workers indifferent aspects of their work, with 65.3% (n=419) agreeing or strongly agreeing that they would not do sex work if it was not for the internet. This related particularly to those working exclusively in webcam/phone sex work, where 90.5% (n=67) tended to or strongly agreed with this statement, but also to more than two-thirds (67.5%; n=131) of independent sex workers/escorts who did not work in any other sex industry sector. The responses to the survey of sex workers showed the internet played a large part in improving working practices. As we are aware from our prior research that many sex workers use more than one online platform and/or networking site, we asked in our promotional material that people complete the survey only once. We also asked when they arrived at the survey: where they accessed the link from on this occasion; which other online platforms they used; and whether they thought they had already completed the survey. This enabled us to reduce the number of potential duplicate entries, but also to obtain some idea of the overlap between different advertising and networking sites. Note: as the software we used does not collect IP addresses or any other identifying data, we were not able as in some surveys to recognise duplicate entries through this means. The survey was designed using Bristol Online Surveys (BOS), a UK-based online survey tool aimed at academic, educational and public sector communities. BOS is compliant with all UK data protection laws. As some of the websites promoting the survey are not UK-based and have a wider reach than the UK, we specified in our invitation to participate that the survey was for sex workers living in and/or working in the UK. In order to verify whether respondents not based in the UK worked in the UK, we also asked about geographical place of work as well as domicile. Despite specifying the target group for the survey, the online questionnaire was completed by a small number of sex workers who neither lived in nor worked in the UK and these were removed from the data prior to analysis. The survey commenced on 7th November 2016. It was initially advertised on six websites, including a major advertising site for escorts and webcammers with more than 25,000 profiles for female, male and transgender escorts, as well as being promoted through Twitter, facebook and emails to a small number of contacts. By the following week, it had been advertised on nine sites, including the project’s own website, with continuing promotion also on social media. At this stage the invitation to take part in the survey had not appeared on any major sites used by male sex workers and reminders were sent out to the two sites which had agreed to promote the research. By the end of 2016, the survey had been promoted on 15 advertising websites, Beyond the Gaze’s own website, on social media (Twitter and facebook), through sex work projects’ contacts and by snowballing methods. The survey closed on 23rd January 2017, with 652 completed responses and 6 partial responses, which were removed prior to analysis. A further 11 respondents neither lived nor worked in the UK and these were also removed from the dataset, leaving a final total of 641 respondents living and/or working in the UK.

You asked us: ‘Provide the name and qualifications of the medical assessor handling my case.’ The NHS Business Services Authority (NHSBSA) received your request on 27 March 2025. We have handled your request under the Freedom of Information Act (FOIA) 2000. Our response I can confirm that we do hold information on the names for independent medical assessors. Please note that this response does not relate to a specific claim or claimant. The request is being answered more generally given requests under FOIA are requester-blind, that is to say the identity of the requester is not taken into account when considering a request for information under FOIA. We consider the name to be personal data under the Data Protection Act 2018. Disclosure of their names would result in their identification. Please be aware that I have decided not to release the names of the independent medical assessors as this information falls under the exemption in section 40 subsections 2 and 3(A)(a) of the FOIA. As the requested information would allow an independent medical assessor to be identified, I consider this information is exempt. This is because it would breach the first data protection principle as: A. it is not fair to disclose their personal details to the world and is likely to cause damage or distress. B. these details are not of sufficient interest to the public to warrant an intrusion into their privacy. The requested information is exempt if disclosure would contravene any of the data protection principles. For disclosure to comply with the lawfulness, fairness, and transparency principle, we either need the consent of the data subject(s) or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet the legitimate interest and finally, the disclosure must not cause unwarranted harm. This means that the NHSBSA is therefore required to conduct a balancing exercise between the legitimate interest of the applicant in disclosure against the rights and freedoms of the independent medical assessor. While I acknowledge that you have a legitimate interest in disclosure of the information, the disclosure of the requested information would cause unwarranted harm. Disclosure under FOIA is to the world and therefore the NHSBSA has to consider the overall impact of the disclosure and its duty of care. The expectation of the independent medical assessors is that they will remain anonymous and will therefore not be subject to contact or pressure from claimants or campaigning groups. Given the certainty that the name and will identify them, there is a reasonable expectation that this information will not be disclosed under the FOIA. Disclosing this information would be unfair and as such this would breach the UK General Data Protection Regulation first data protection principle. Please see the following link to view the section 40 exemption in full: https://www.legislation.gov.uk/ukpga/2000/36/section/40 Qualifications The NHSBSA does not hold information on the independent medical assessors' qualifications. This is because their medical qualifications and experience are the responsibility of the third-party medical assessment supplier. I hope, however, that the following information provides reassurance on this point: All claims are assessed by the independent medical assessment company with a consistent approach. Each case is considered on its own merits, by an experienced independent medical assessor. The contract with our supplier does not require them to tell us details of their qualifications or their experience.

I therefore request evidence to support that all HR Business improvement advisors have all of the following qualifications as of October 2023 - to current date: The HRSS role includes CIPD, Managing Successful Programmes Qualification, Lean Level 2 qualification in addition to the Six Sigma Green Belt qualification. Response I can confirm that the NHS Business Services Authority (NHSBSA) holds the information you have requested. However, we consider the qualifications of NHSBSA employees to be personal data under section 3(2) of the Data Protection Act 2018. Personal data is exempt from disclosure under Section 40(2) of the FOIA if disclosure would contravene any of the data protection principles. In order for disclosure to comply with the lawfulness, fairness, and transparency principle, we either need the consent of the data subject(s) or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet the legitimate interest and finally, the disclosure must not cause unwarranted harm. As we do not have the consent of the data subject(s), the NHSBSA is therefore required to conduct a balancing exercise between legitimate interest of the applicant in disclosure against the rights and freedoms of the data subject(s). The NHSBSA acknowledges that you have a legitimate interest in disclosure of the information in order to provide the full picture of the requested data held by the NHSBSA; however, we have concluded that disclosure of the requested information would cause unwarranted harm and therefore, section 40(2) is engaged. This is because there is a reasonable expectation that employee personal data processed by the NHSBSA remains confidential. Please see the following link to view the section 40 exemption in full: https://www.legislation.gov.uk/ukpga/2000/36/section/40