Decision 045/2011 | Scottish Information Commissioner

Home Decisions

Decision 045/2011

Decision 045/2011 Mr Christopher Johnstone and Fife Health Board

External report and action plan

Reference No: 201001365
Decision Date: 3 March 2011

Summary

Mr Johnstone asked Fife NHS Board (NHS Fife) for the report and action plan prepared by external consultants following an internal IT security breach.NHS Fife refused to disclose the information, but did not cite any exemption under the Freedom of Information (Scotland) Act 2002 (FOISA) for doing so. Following a review, during which NHS Fife provided a copy of the action plan to Mr Johnstone, but cited the exemption in section 35(1) of FOISA (Law enforcement) in relation to the report, Mr Johnstone remained dissatisfied and applied to the Commissioner for a decision.

Following an investigation, during which NHS Fife also cited the exemption in section 30(c) (Prejudice to effective conduct of public affairs), the Commissioner found that the information was not exempt from disclosure and required NHS Fife to disclose the information in the report to Mr Johnstone.

Relevant statutory provisions and other sources

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(b) (Effect of exemptions); 30(c) (Prejudice to effective conduct of public affairs) and 35(1)(g) and (2)(a), (b), (c) and (d) (Law enforcement)

The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision. The Appendix forms part of this decision.

Background

1.During 2008, a clinician employed by NHS Fife was alleged to have inappropriately accessed a number of patients' Emergency Care Summaries.(An Emergency Care Summary is a summary of basic information about an individual patient's health which can be accessed by members of NHS staff if a patient needs urgent medical care when their GP surgery is closed.Emergency Care Summaries can only be looked at without a patient's agreement in very limited circumstances.)

2.As a result, a review was subsequently undertaken by external consultants and a report with recommendations was produced.This was followed up with an action plan which ensured that remedial measures were in place by 31 March 2009.

3.On 21 February 2010, Mr Johnstone wrote to NHS Fife, asking for the report and action plan.

4.NHS Fife responded on 24 March 2010, refusing to disclose the information to Mr Johnstone.NHS Fife did not cite any exemptions in FOISA for refusing to disclose the information (as required by section 16 of FOISA), but advised Mr Johnstone that, due to the nature of the investigation, all relevant material was treated as strictly confidential as the outcome had the potential to lead to criminal and/or disciplinary procedures.Indeed, it advised Mr Johnstone that it understood that the circumstances surrounding the incident continued to form the basis of an ongoing disciplinary hearing with the individual's professional body and that the material had to remain confidential.

5.NHS Fife also indicated that the review had been carried out to identify if there were any weaknesses in the controls in its systems and the steps to be taken to remedy any such weaknesses.NHS Fife advised that, in the circumstances, the content remained sensitive and not for publication.

6.On 24 March 2010, Mr Johnstone wrote to NHS Fife requesting a review of its decision. Mr Johnstone drew NHS Fife's attention to his concerns regarding the protection of patient data and his belief that any weaknesses in the control systems identified by the review and changes made could be usefully shared across Scotland. He also indicated that, from publicly available information, he could find no evidence that NHS Fife had implemented any changes.

7.NHS Fife did not respond to Mr Johnstone's request for review within the timescale set down in section 20(1) of FOISA and Mr Johnstone subsequently applied to the Commissioner for a decision on NHS Fife's failure to respond to his request for review.

8.Following an investigation by the Commissioner, which resulted in Decision 112/2010 Christopher Johnstone and Fife Health Board, NHS Fife provided a response to Mr Johnstone's request for review on 10 June 2010.In its response, NHS Fife advised Mr Johnstone that it no longer wished to withhold the action plan, as it considered that it could be disclosed without risk to the continued security of information systems, either in NHS Fife or more widely.However, NHS Fife relied on the exemption in section 35 of FOISA for withholding the report (it did not advise Mr Johnstone which part of the exemption in section 35 it was relying on to withhold the report), on the basis that it related to the security of systems both within NHS Fife and across NHS Scotland.

9.On 3 July 2010, Mr Johnstone wrote to the Commissioner, stating that he was dissatisfied with the outcome of NHS Fife's review and applying to the Commissioner for a decision in terms of section 47(1) of FOISA.

10.The application was validated by establishing that Mr Johnstone had made a request for information to a Scottish public authority and had applied to the Commissioner for a decision only after asking the authority to review its response to that request.

Investigation

11.On 8 July 2010, NHS Fife was notified in writing that the application had been received from Mr Johnstone and was asked to provide the Commissioner with the information withheld from him. NHS Fife responded with the information requested and the case was then allocated to an investigating officer.

12.The investigating officer subsequently contacted NHS Fife on 5 August 2010, giving it an opportunity to provide comments on Mr Johnstone's application (as required by section 49(3)(a) of FOISA) and asking it to respond to specific questions. In particular, NHS Fife was asked to justify its reliance on any provisions of FOISA it considered applicable to the information requested (specifically section 35), including which exemption in section 35 it considered applied to the report and how disclosure would, or would be likely to, cause substantial prejudice.The letter to NHS Fife made it clear that it was its responsibility to justify why it had withheld the information from Mr Johnstone and that, if the submissions were inadequate, or failed to adequately justify the refusal of the request, the Commissioner may order it to disclose the information.

13.NHS Fife responded on 26 August 2010 and advised the investigating officer that it considered that all of the information in the report (other than that forming the recommendations, as these were released in the action plan to Mr Johnstone) was exempt from disclosure under section 35(1)(g), read in conjunction with 35(2)(a), (b), (c) and (d)) of FOISA.

14.On 2 September 2010, the investigating officer asked NHS Fife for more detailed submissions as to its functions for the purposes of section 35(1)(g).NHS Fife provided further comments on 10 and 16 September 2010.In its letter of 16 September, NHS Fife also indicated that it also wished to rely on the exemption in section 30(c) of FOISA for the information in the report, as it considered that disclosure of the report would limit the ability of NHS Fife to conduct its business effectively.

15.As Mr Johnstone has received the action plan associated with this report, this decision will focus on the report.

16.All submissions received from NHS Fife and Mr Johnstone, in so far as relevant, are considered in the Commissioner's analysis and findings.

Commissioner's analysis and findings

17.In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the submissions made to him by both Mr Johnstone and NHS Fife and is satisfied that no matter of relevance has been overlooked.

Section 35(1)(g) ? Law enforcement

18.Section 35(1)(g) of FOISA exempts information if its disclosure would, or would be likely to, prejudice substantially the ability of a Scottish public authority (or of a public authority which is subject to the Freedom of Information Act 2000) to carry out its functions for any of the purposes mentioned in section 35(2).The exemption is subject to the public interest test in section 2(1)(b) of FOISA.

19.NHS Fife argued that its own functions would, or would be likely to be, prejudiced substantially, were the report to be disclosed.It also argued that disclosure could equally prejudice the operation of "other boards" too.

20.The Commissioner must consider three fundamental points when considering whether the exemption in section 35(1) applies:

Does NHS Fife have a function in relation to one or more of the purposes listed in section 35(2)?(The Commissioner notes that NHS Fife believes that disclosure could equally prejudice "other boards" too.NHS Fife has not clarified what it means by "other boards", but the Commissioner considers it reasonable to assume that what is meant is those other boards constituted under section 2 of the National Health Service (Scotland) Act 1978 (the 1978 Act).Given that their functions will generally be the same as those of NHS Fife, he will focus on NHS Fife's functions in this decision.)

If so, would disclosure of the information prejudice substantially, or be likely to prejudice substantially, NHS Fife's ability to carry out one or more of these functions?

Even if this is the case, is the public interest in maintaining the exemption outweighed by the public interest in disclosure of the information?

NHS Fife's statutory functions

21.The investigating officer, in a letter dated 5 August 2010, asked NHS Fife, if it was relying on section 35(1)(g) of FOISA, to provide evidence that it has one or more of the functions in section 35(2) and to provide full details of what it considers to be the relevant purposes under section 35(2).

22.In response, NHS Fife submitted that the risk of compromising its IT security systems would substantially prejudice the following "purposes" of NHS Fife:

35(2)(a) (to ascertain whether a person has failed to comply with the law),

35(2)(b) (to ascertain whether a person is responsible for conduct which is improper),

35(2)(c) (to ascertain whether circumstances which would justify regulatory action in pursuance of any enactment exist or may arise) and

35(2)(d) (to ascertain a person's fitness or competence in relation to (i) the management of bodies corporate; or (ii) any professional or other activity which the person is, or seeks to become, authorised to carry on.

23.The investigating officer noted that NHS Fife had not provided any explanation or evidence to support its claim that it has functions in relation to these matters.NHS Fife was asked to advise the investigating officer where the functions derive from (e.g. statute) and to provide submissions in relation to each of the functions it had identified.The investigating officer referred NHS Fife to the Commissioner's briefing on the section 35 exemption[1] and, specifically, to the following paragraph in the briefing:

"A public authority's functions are those things that it has the power, or an obligation, to do.These functions may be set out in statute or they may derive from the constitutional powers of the Crown (Her Majesty's prerogative).Any public authority wishing to rely on this exemption must be able to show that it does in fact have the power or obligation to carry out the relevant function."

The investigating officer also suggested to NHS Fife that it refer to the Commissioner's previous decisions on this exemption.

24.NHS Fife subsequently advised the investigating officer that the functions all derive from the 1978 Act.However, it did not indicate which section(s) of the 1978 Act gives it these statutory functions.

25.More generally, NHS Fife explained that in respect of sections 35(2)(a) and (b) of FOISA, it has a responsibility, if it discovers that any of its employees has, or may have, committed a crime, to report this to the Police.NHS Fife has also advised that it has a responsibility, as an employer, to be able to assure itself that its employees are not acting improperly.

26.In respect of its reliance on sections 35(2)(c) and (2)(d) of FOISA, NHS Fife explained that, as an employer, it has to be able to be sure that any individual employed by NHS Fife is acting in accordance with standards of fitness and competence expected of any of its employees.

27.As noted above, NHS Fife did not indicate which section(s) of the 1978 Act impose on it the statutory functions listed in section 35(2)(a) to (d).Where the Commissioner accepts that NHS Fife, like any other employer, has, e.g., a duty to ensure that there is no improper conduct or failure to comply with the law amongst its employees, he does not accept that a mere reference to the 1978 Act is sufficient for NHS Fife to evidence that it has these statutory functions.In the Commissioner's view, a function, for the purposes of section 35(1)(g), must be designed to fulfil one of the purposes specified in section 35(2); is likely, in the case of a body such as NHS Fife, to be imposed by statute and must be specifically entrusted to the public authority to fulfil, as opposed to being a general duty imposed on all public authorities.

28.As a result, the Commissioner is not satisfied that NHS Fife has evidenced that it has a function, in terms of section 35(1)(g), in relation to any of the matters it has specified in section 35(2), despite being given ample opportunity to do so.

29.However, even if NHS Fife were able to demonstrate that the 1978 Act imposes these specific functions on it, the Commissioner does not accept that NHS Fife has shown that disclosure of the withheld information would, or would be likely to, prejudice substantially its exercise of the functions in question.

Substantial prejudice to these functions

30.As noted above, the exemption in section 35(1)(g) can only apply where disclosure would, or would be likely to, prejudice substantially the exercise by NHS Fife of its functions under section 35(2).The investigating officer asked NHS Fife to evidence how these functions would, or would be likely to be, prejudiced substantially.

31.In response, NHS Fife advised that the report in question had been carried out following a breach of an IT system and was intended to ensure that measures were in place to enhance the effectiveness of systems to prevent further breaches and ensure detection if that occurs.Therefore, according to NHS Fife, any findings of the report that enabled NHS Fife to identify weaknesses in its system or enhance security would be compromised if that information is more widely known.

32.However, NHS Fife has not explained how disclosure of the withheld information would, or would be likely to, prejudice substantially its ability to exercise one or more of the functions set out above (if, indeed, it has these functions). This is one of the key tests that have to be fulfilled in applying this exemption.

33.In considering whether substantial prejudice would, or would be likely, to the functions in question (if NHS Fife has these functions), the Commissioner has also considered the content of the report and the arguments put forward in relation to the exemption in section 30(c) (addressed below), but has come to the conclusion that substantial prejudice would not, and would not be likely, to occur.

34.As a consequence, the Commissioner is not satisfied that the exemption in section 35(1)(g) (as read with 35(2)(a), (b), (c) or (d)) of FOISA applies.He is therefore not required to go on to consider the public interest test set down in section 2(1)(b) of FOISA.

Section 30(c) ? Effective conduct of public affairs.

35.Section 30(c) of FOISA exempts information if its disclosure "would otherwise prejudice substantially, or be likely to prejudice substantially, the effective conduct of public affairs".The use of the word "otherwise" distinguishes the harm required from that envisaged by the exemptions in section 30(a) and (b).This is a broad exemption and the Commissioner expects any public authority citing it to show what specific harm would (or would be likely to) be caused to the conduct of public affairs by release of the information, and how that harm would be expected to follow from release.

36.As with the exemption in section 35(1)(g), this exemption is subject to the public interest test laid down by section 2(1)(b) of FOISA.

37.In its submissions, NHS Fife advised that disclosure of the report would limit the ability of the Board to conduct its business effectively, in the sense that it is fundamental to the provision of a health service that patient confidentiality be protected.According to NHS Fife, any disclosure of the information could compromise its ability to protect patient confidentiality.

38.NHS Fife also submitted that the damage likely to be caused would be real and significant and could substantially affect the relationship of trust essential to its provision of health services.

39.Mr Johnstone, on the other hand, finds it difficult to understand how releasing information on an Emergency Care Summary breach from 2008 could prejudice NHS Fife's ability to ensure patient confidentiality towards the end of 2010 (NHS Fife initially cited section 30(c) in September 2010; the Commissioner must consider, however, whether the exemption applied in June 2010, when NHS carried out a review of Mr Johnstone's request).Mr Johnstone commented that he would hope and expect that any security loopholes exposed and discussed in this document would have been closed a long time ago.

40.Having considered the submissions from NHS Fife and the information withheld from Mr Johnstone, the Commissioner is not satisfied that disclosure of the information would, or would be likely to, prejudice substantially, the effective conduct of public affairs.

41.The report is a high level report which provides findings following an external investigation which reviewed the audit arrangements for three of the electronic patient based systems used by NHS Fife, the policies and procedures in place regarding the use and administration of these, together with the practices of NHS Fife in respect of these systems.

42.Having viewed the information contained in the report, and from carrying out some research, the Commissioner has identified that some background and contextual information, similar to that contained in the report, relating to two of the patient based systems examined is already in the public domain.

43.In considering all of the withheld information in the report, it is clear that it takes a high level, strategic view of the whole health board.Although there is information which reflects on the practices of NHS Fife and recommendations from the authors of the report as to how practices or policies and procedures could be improved as a result of weaknesses which have been identified, the Commissioner does not consider that disclosure of this information would compromise NHS Fife's ability to protect patient confidentiality.

44.The Commissioner accepts that where steps require to be taken to address issues raised within a report, as in this case, NHS Fife should be allowed to consider and (as required) implement these actions without concern that the information will be disclosed into the public domain before this can be done.

45.However, it is clear from reading the report and the associated action plan that actions have been taken (and had been taken prior to Mr Johnstone's information request and requirement for review) to address these issues.Therefore, even if it were the case that the disclosure of the information in the report may have enabled individuals to breach patient confidentiality, it is clear that relevant actions have been taken to address these potential areas of risk.As a consequence, the Commissioner does not accept that where actions have already been taken (most actions had been completed by 31 March 2009, with some being undertaken in April 2009 and one ongoing to be completed in September 2009) to address areas of concern, that release of the information in the report in response to Mr Johnstone's request would prejudice substantially, or be likely to prejudice substantially, the ability of NHS Fife to protect patient confidentiality in NHS Fife and other health boards.

46.As stated in his published guidance on the use of the exemption in section 30(c), and as noted above, the Commissioner expects any public authority citing this exemption to show what specific harm (which must be at the level of substantial prejudice) would, or would be likely to, be caused to the effective conduct of public affairs by release of the information.The Commissioner does not accept that NHS Fife has provided such evidence to him or demonstrated how disclosure of the information in the report would compromise its ability to protect patient information and confidentiality, or when this harm would occur.

47.The Commissioner is therefore not satisfied that NHS Fife was correct to withhold the information in the report under the exemption in section 30(c) of FOISA.

48.As the Commissioner is not satisfied that the withheld information in the report was correctly withheld under section 30(c) of FOISA, he is not required to go on to consider the application of the public interest test in section 2(1)(b).

DECISION

The Commissioner finds that Fife NHS Board (NHS Fife) failed to comply with Part 1 (and, in particular, with section 1(1)) of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mr Johnstone.

The Commissioner finds that the information is not exempt by virtue of either section 30(c) or section 35(1)(g) (read in conjunction with section 35(2)(a), (b), (c) and (d)) of FOISA).

He therefore requires NHS Fife NHS to disclose all of the information contained in the report to Mr Johnstone by 18 April 2011.

Appeal

Should either Mr Johnstone or Fife NHS Board wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only.Any such appeal must be made within 42 days after the date of intimation of this decision notice.

Kevin Dunion
Scottish Information Commissioner
3 March 2011

Appendix

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

?..

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that ?

(a) the provision does not confer absolute exemption; and

(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.

30 Prejudice to effective conduct of public affairs

Information is exempt information if its disclosure under this Act-

(c)would otherwise prejudice substantially, or be likely to prejudice substantially, the effective conduct of public affairs.

35 Law enforcement

(1) Information is exempt information if its disclosure under this Act would, or would be likely to, prejudice substantially-

?..

(g) the exercise by any public authority (within the meaning of the Freedom of Information Act 2000 (c.36)) or Scottish public authority of its functions for any of the purposes mentioned in subsection (2);

(2) The purposes are-

(a) to ascertain whether a person has failed to comply with the law;

(b) to ascertain whether a person is responsible for conduct which is improper;

(c) to ascertain whether circumstances which would justify regulatory action in pursuance of any enactment exist or may arise;

(d) to ascertain a person's fitness or competence in relation to-

(i) the management of bodies corporate; or

(ii) any profession or other activity which the person is, or seeks to become, authorised to carry on; ?

[1] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section35/Section35.aspx