Local authorities and NHS Trusts (2): unusual appeals ahead

September 17th, 2012 by Robin Hopkins

I blogged earlier (see below) about the sorts of information law issues that arise routinely for local authorities and NHS Trusts. On a more unusual note, it is worth noting that the First-Tier Tribunal is due to hear appeals against notices other than the usual decision notices issued by the Information Commissioner under s. 50 of FOIA.

The first ever appeal against a monetary penalty notice issued for breaches of the Data Protection Act 1998 will be heard on 3-5 December of this year: Central London Community Healthcare NHS Trust v IC (EA/2012/0111). The Trust was fined £90,000 for faxing patient lists containing sensitive personal data to the wrong number. The Commissioner’s press release is available here.

Secondly, Southampton City Council is appealing against a decision by the Commissioner that a licensing policy under which all licensed taxis must use surveillance equipment consisting of CCTV and audio-recording facilities, both of which must operate whenever the vehicle is in motion, breached the first data protection principle. The Commissioner issued an enforcement notice against the Council (his press release is here).

The appeals will feature my fellow Panopticonners Anya Proops (for the Commissioner in both cases) and Tim Pitt-Payne QC (for the appellants in both cases).

Robin Hopkins

 

Local authorities and NHS Trusts (1): compromise agreements, officers’ identities and gagging clauses

September 17th, 2012 by Robin Hopkins

From a FOIA perspective, local authorities and NHS Trusts have this in common: both frequently receive requests for details of compromise agreements and other details about individual officers’ employment and disciplinary records. Three recent cases before the Tribunal confirm the general trend that – absent case-specific and well-evidenced arguments – the Commissioner and Tribunal re reluctant to order disclosure of such personal data, notwithstanding the context of public sector employees.

First, Trago Mills v IC and Teignbridge DC (EA/2012/0028) involved a request for the details of the severance package of a senior planning officer. Based on his dealings with that officer during a number of planning applications, the requester suspected that the stated reason for the officer’s departure from the Council (i.e. early retirement/redundancy) was in fact a ‘shield’, and that the officer had left for reasons of misconduct. The requester had also asked for information on that officer’s handling of planning applications in 2007.

The Council refused the request for the severance information on s. 40(2) grounds. The Commissioner and the Tribunal agreed: the requester’s suspicions were not borne out by the evidence, and the Council had a duty to respect its former employee’s reasonable expectation of privacy. The Tribunal also found that the Council held no further information within the scope of the request given the thoroughness of its searches. I represented the Council in this case, so no further commentary from me. For a detailed analysis of the issues, see the Local Government Lawyer’s article here. 11KBW’s Chris Knight represented the Information Commissioner.

Second, McFerran v IC (EA/2012/0030) involved a police search of a Council residence owned by Shropshire County Council. At the police’s request, two junior Council officers were present, but they had not been involved in any of the decision-making. The requester had concerns about the search and about what the Council may have told the police in the lead-up to the search. He requested the names of the two junior officers as well as their immediate superior. The Council refused, relying on s. 40(2).

The Commissioner ordered disclosure of the name of the more senior officer, but not of the two juniors. The requester’s appeal against the latter finding was dismissed, with the Tribunal observing that “although… there is clearly a legitimate public interest in transparency of activity by public authorities, which impinges on the personal freedom of householders, there is insufficient information provided to add significant weight to the general public interest in transparency in public affairs. The Appellant has not satisfied us, either, that his attempts to have the matter investigated are being thwarted by the absence of the names of the individuals in question. If there is sufficient information about the event to interest those responsible for an investigation the absence of names will not deter them.”

The McFerran decision illustrates that, when it comes to junior officials, general transparency considerations will usually not suffice for the disclosure of personal data: case-specific factors will be needed. Local authorities should, however, avoid the blanket non-disclosure of the names of all officers below a certain level of seniority. What matters is what work they have done, rather than what grade or band they are at.

McFerran also illustrates that requesters will often face the following sorts of objection: even if you have valid grounds for concern or complaint about individuals, there are ways of addressing those without disclosure of personal data to the world at large.

The third recent s. 40(2) arose in the context of NHS Trusts and allegations of Trusts using “gagging clauses” in compromise agreements to silence criticism or whistleblowing from departing employees. In Bousfield v IC and Six NHS Trusts (EA/2011/0212; 0213; 0247; 0250; 0251; 0252), the requester was interested not in any specific individual’s compromise agreement, but in the use of such agreements by NHS Trusts more generally. He asked: “Please provide copies of all compromise agreements you have entered into with doctors of any grade. Please also provide a list of exploratory or illustrator issues covered by the compromise agreements (ie the reasons the compromise agreements were entered into)”. One Trust refused to confirm or deny whether it held such information, relying on s. 40(5) (the argument being that there was a risk of identifying any individuals involved, which would breach the first data protection principle) and s. 43(3) (the argument being that confirmation or denial would prejudice the Trust’s commercial interests). Other Trusts also refused the requests, relying on a combination of s. 40(2) (personal data), s. 41 (actionable breach of confidence), 42 (legal professional privilege) and 36(2) (prejudice to the effective conduct of public affairs).

The Commissioner agreed, and the Tribunal has dismissed the requesters appealed. One Trust had conceded that, if there was evidence of gagging clauses being used to prevent former employees from raising any issues concerning patient safety, there would be enormous public interest in disclosing such practices. The decisive issue in this case, however, was that the Tribunal was satisfied on the evidence that no such clauses were being used by these Trusts. Therefore, it concluded that “it is entirely sympathetic to the overall concern that the Appellant feels with regard to the apparently increasing prevalence of gagging clauses but does not find that issue or concern in any way material to the matters which the Tribunal in fact has had to consider”.

It seems that, if the evidence had borne out the requester’s concerns, the analysis may have been very different. This ‘gagging clause’ issue has been considered at Tribunal level before: Bousfield v IC (EA/2009/0113). It may yet resurface.

Robin Hopkins

 

NHS SPINE – PERMISSION TO DELETE CARE RECORDS

May 27th, 2009 by Anya Proops QC

The creation of electronic summary patient records which can readily be accessed by medical teams on the NHS broadband computer system, known as the Spine, is one which has met with approval in many quarters. This is unsurprising given the potential health benefits resulting from clinicians being able to access such records. However, this approval has been tempered by concerns that the NHS, in common with other large-scale public authorities, may not be able to maintain appropriate levels of security with respect to this manifestly sensitive personal data. Yesterday the Guardian reported that, following talks between the ICO and Connecting for Health (CfH), the agency responsible for implementing the records scheme, CfH has now yielded to calls for NHS patients be given the right to have their summary care records deleted from the system (although deletion would not occur if the records had already been used, in which case they would be archived for medic-legal reasons). The right to have records deleted will be additional to the right already granted to patients to opt out of the scheme before a record is created for them. CfH’s decision to permit patients to have their record deleted represents a move away from earlier proposals that, where objections were made, the record would simply be ‘masked’ within the system. Notably, the news over changes to the care records scheme comes only days after it was revealed that records revealing personal data relating to tens of thousands of MOD personnel, which were lost last year, had contained not merely financial information but also highly sensitive vetting information. The revelations have been controversial because, whilst the loss was announced last year, neither Parliament nor the ICO were informed that the lost data included sensitive vetting data.