Executive summary of the data protection audit report carried out by the ICO

The request was refused by University Hospitals of Leicester NHS Trust.

Dear University Hospitals of Leicester NHS Trust,

The Information Commissioner stated on her website that:

"The ICO has carried out a data protection audit of University Hospitals of Leicester NHS Trust with its consent.

University Hospitals of Leicester NHS Trust has asked us not to publish the executive summary of the audit report."

Therefore please disclose the executive summary of the audit report referred to by the Commissioner.

Yours faithfully,

John Slater

FOI - Freedom of Information, University Hospitals of Leicester NHS Trust

Corporate and Legal Affairs – Trust Administration

 

Our Reference: HS/FOI/31506

 

23 January 2017

 

 

John Slater

[1][email address]  

 

 

Dear Mr Slater

 

Request for Information

 

Thank you for your request for information, as received by University
Hospitals of Leicester NHS Trust on 18 January 2017.   Within UHL NHS
Trust, Freedom of Information Act requests are managed centrally by the
Trust Administration Team. 

 

The Trust will endeavour to provide a response within the required 20
working-day deadline.  I will, of course, keep you informed should this
not prove possible for any reason.  If we require any clarification on
your request, we will contact you as soon as possible. 

 

All requesters are advised that the Trust may make a charge for providing
the information to them, to cover the cost of photocopying, postage and
packaging etc – I confirm that where these costs are below £5.00 in total,
no charge will be made.  All requesters are also advised that there may
also be a charge payable to cover costs of locating the information they
have requested, as laid down in the Freedom of Information Act Regulations
published by the Government in December 2004.  Naturally, if such a charge
is to be applied to your request, you will be informed as soon as
possible.

 

Yours sincerely,

 

 

Helen Stokes

Senior Trust Administrator

University Hospitals of Leicester NHS Trust

Tel: 0116 258 8590

 

Information contained in emails may be subject to disclosure under the
Freedom of Information Act 2000, and confidentiality cannot therefore be
guaranteed.  Please ensure that all emails are accurate and appropriate,
and are retained/deleted in accordance with good practice and any policies
of the Trust.  If you are not the intended recipient of this email, please
inform the sender, delete the email from your system and destroy any
copies you may have made.

 

show quoted sections

FOI - Freedom of Information, University Hospitals of Leicester NHS Trust

Corporate and Legal Affairs – Trust Administration

 

Our Reference: HS/FOI/31506

 

15 February 2017

 

John Slater

[1][FOI #382886 email] 

 

 

Dear Mr Slater

 

Request for Information

 

Thank you for your Freedom of Information Act (FOI) request, as received
by the Trust on 18 January 2017 and acknowledged on 23 January 2017.  For
information, the University Hospitals of Leicester NHS Trust is one of the
largest and busiest NHS teaching Trusts in the country incorporating
Leicester General Hospital, Glenfield Hospital and Leicester Royal
Infirmary.  Our three hospitals have around 14,000 staff serving around
one million people across Leicester, Leicestershire and Rutland, and a
further two to three million people from the rest of the UK who come to us
for the specialist services we provide.  During 2015-16 we treated
1,577,200 patients (that’s 4,321 patients per day) – 347,700 more than in
2014-15.

 

Following consultation with colleagues, I confirm that the University
Hospitals of Leicester NHS Trust holds information covered by your FOI
request.  Your FOI request is set out below in bold, followed by the
Trust’s response. 

 

 

The Information Commissioner stated on her website that:

"The ICO has carried out a data protection audit of University Hospitals
of Leicester NHS Trust with its consent.

University Hospitals of Leicester NHS Trust has asked us not to publish
the executive summary of the audit report."

 

Therefore please disclose the executive summary of the audit report
referred to by the Commissioner.

 

The Trust considers the above information to be exempt under the law
enforcement exemption of the Freedom of Information Act 2000 (section
31).  The Trust considers that it is entitled to rely on section 31(1)(g)
of the FOI Act, in that sections 31(2)(a)-(c) are also engaged.  As
section 31 is a conditional exemption, the Trust has applied the public
interest test as required and considers that the balance of the public
interest lies in withholding this information, to enable proper
exploration of the issues referred to in section 31.

 

 

I am sorry that the Trust cannot provide you with information on this
occasion. If you require any further assistance please do not hesitate to
contact me.  If you are dissatisfied with the Trust’s response, you can
contact the Director of Corporate and Legal Affairs on Tel. No. 0116 258
8615 to request a copy of UHL’s Freedom of Information Act complaints
procedure.

 

We must advise you that where we have provided information we have done so
subject to the provisions of the Re-use of Public Sector Information
Regulations 2005.  Accordingly you must not re-use this information
without having the consent of the Trust.  Where the Trust is prepared to
provide its consent then it may levy a charge for doing so. Should you
wish to re-use documents provided then you must make your request in
writing stating your name and your address for correspondence together
with the document that you wish to re-use and the purpose for which the
information is to be re-used.

 

In the event that you remain dissatisfied with the way in which the Trust
has handled any complaint that you may wish to make, we would advise you
of your right to complain to the Information Commissioner at the
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF.

 

Yours sincerely,

 

 

Helen Stokes

Senior Trust Administrator

University Hospitals of Leicester NHS Trust

Tel: 0116 258 8590

 

Information contained in emails may be subject to disclosure under the
Freedom of Information Act 2000, and confidentiality cannot therefore be
guaranteed.  Please ensure that all emails are accurate and appropriate,
and are retained/deleted in accordance with good practice and any policies
of the Trust.  If you are not the intended recipient of this email, please
inform the sender, delete the email from your system and destroy any
copies you may have made.

 

show quoted sections

Dear University Hospitals of Leicester NHS Trust,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of University Hospitals of Leicester NHS Trust's handling of my FOI request 'Executive summary of the data protection audit report carried out by the ICO'.

In respect of the statutory exemptions cited by the Trust I remind it of the relevant Commissioner’s guidance:
• “Sections 31(g) – (i) are engaged by reference to section 31(2).

• For any of these exemptions to apply the public authority claiming them must be able to identify a public authority that has functions for one of the purposes specified in section 31(2) and that function must be prejudiced by the disclosure.

• Functions are the core functions of a public authority; they will normally be functions conferred by statute or, in the case of government departments by the Crown.

• The first five purposes described by section 31(2) all relate to a public authority’s ability to ‘ascertain’ something. This means the relevant public authority must have the responsibility to determine the issue with some certainty.

• Many of the purposes described by section 31(2) can involve investigations. The information relating to confidential sources used in such investigations is protected not by section 31, but by section 30(2).

• There is a very strong public interest in protecting the law enforcement capabilities of public authorities.

• When considering the public interest in preventing crime it is important to take account of all the consequences that can be ‘anticipated as realistic possibilities’.”

Sections 31 (2) (a) to (c) all include the term “ascertaining”. According to the Commissioner’s guidance, to ‘ascertain’ is to make certain or prove. In this context it means that the public authority with the function must have the power to determine the matter in hand with some certainty. The public authority must not only be responsible for the investigation but it must also have the authority to make a formal decision as to whether that person has complied with the law. This could include taking direct action itself such as revoking licences or imposing fines, or it could involve taking a formal decision to prosecute an offender.

I have applied this definition and the broader guidance published by the Commissioner when assessing if the Trust’s engagement of the cited exemptions is reasonable. I came to the conclusion that it is not.

31 (2) (a) - the purpose of ascertaining whether any person has failed to comply with the law.
Please confirm what powers the Trust has to ascertain that any person has failed to comply with the law and take direct action such imposing a fine or taking a formal decision to prosecute an offender. The importance of the Trust having the power to make a formal decision to take some action is demonstrated by examples in the Commissioner’s published guidance. The Trust may find it helpful to direct me to the relevant example(s) that apply in this particular case.

31 (2) (b) - the purpose of ascertaining whether any person is responsible for any conduct which is improper.
The Commissioner has stated that improper conduct relates to how people conduct themselves professionally. For conduct to be improper it must be more serious than simply poor performance. It implies behaviour that is unethical. She has also helpfully explained that:

“Public authorities that have functions of ascertaining whether someone is responsible for improper conduct are likely to include those tasked with upholding professional standards such as the General Medical Council, or the Nursing and Midwifery Council.”

I am not aware of the Trust having any comparable statutory duties. In order to stand up its claim of engaging S.31 (2) (b) perhaps the Trust would be kind enough to explain what they are and where it derives such powers.

31 (2) (c) the purpose of ascertaining whether circumstances exist which would justify regulatory action in pursuance of any enactment exist or may arise, any person has failed to comply with the law.

The Commissioner’s view is that this exemption is one of the more frequently claimed in section 31.This reflects the fact that many activities and sectors of the economy are subject to statutory regulation. Regulators include such bodies as the Food Standards Agency, the Health and Safety Executive, the water services regulation authority OFWAT, and the Information Commissioner. Local authorities also have a number of regulatory responsibilities.

This suggests that it will normally engaged by public authorities with statutory regulatory duties. I am not aware of the Trust having any such duties. Perhaps the Trust would be kind enough to explain what they are in respect of this case in order to justify its engagement of S.31 (2) (c).

Public Interest Test
The Trust hasn’t actually provided its public interest test (“PIT”). Simply stating that it has carried out a PIT is not adequate. The Commissioner will require documentary proof that an adequate fair PIT has been carried out and therefore I can see no reason why it wasn’t provided as part of the Trust’s response.

“Conditional exemption”
On a final point the trust stated that “As section 31 is a conditional exemption …”. Section 31 is actually a “qualified” exemption meaning that it is subject to the public interest test. From a credibility perspective using the correct terminology is always helpful.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/e...

Yours faithfully,

John Slater

Dear University Hospitals of Leicester NHS Trust,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of University Hospitals of Leicester NHS Trust's handling of my FOI request 'Executive summary of the data protection audit report carried out by the ICO'.

The Trust should have provided is response to my IRR by now. I'm sure it is aware of the Commissioner's guidance that a public authority should take no longer than 40 working days from receipt of a request to issuing its substantive response. This includes dealing internal review requests. It would be in everyone's interests to avoid a complaint to the Commissioner but unless I receive a substantive response to my IRR by close of business on Friday 31 March 2017 I will complain to the Commissioner.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/e...

Yours faithfully,

John Slater

FOI - Freedom of Information, University Hospitals of Leicester NHS Trust

John Slater

Our Reference
SM/FOI/3506                                                                     
Date : 31 March 2017

Dear Sir

INTERNAL REVIEW OF HANDLING OF REQUEST MADE UNDER THE FREEDOM OF
INFORMATION ACT 2000 (the "Act")

1. BACKGROUND

1.1        On 18^th January 2017 the Trust received a request under the
Act from the Applicant.

1.2        The following information was requested:

The Information Commissioner stated on her website that:

 

"The ICO has carried out a data protection audit of University Hospitals
of Leicester NHS Trust with its consent.

 

University Hospitals of Leicester NHS Trust has asked us not to publish
the executive summary of the audit report."

 

Therefore please disclose the executive summary of the audit report
referred to by the Commissioner.

 

 

1.3        On 15^th February 2017 the Trust replied to the request. In its
reply the Trust indicated that it was entitled to rely on an exemption
within the Act. 

1.4        On 19^th February 2017 the Applicant requested an internal
review of the handling of their request.

2.         THE REVIEW

2.1        I have now conducted a review of the handling of your request. 
In doing so I have followed the internal procedures of the Trust and have
had regard to all the relevant facts and circumstances.  In particular I
have considered:

2.1.1     The Freedom of Information Act 2000;

2.1.2     The request and the response to that request;

2.1.3     All correspondence and documents including the material which
was provided;

2.1.4     Guidance of the Information Commissioner;

3              FINDINGS

 

3.1          Procedural Findings

 

3.1.1     The 20 working day statutory timeframe for compliance was met..

3.1.2       The Trust's response met the requirements set out in section
17 of the Act. The response stated that information was exempt, specified
the exemption in question, and stated why each exemption applied.  The
response included details of the right to request an internal review and
the right to appeal to the Information Commissioner.

3.2        Substantive Findings

3.2.1     Section 31 (Prejudice to Law Enforcement)

3.2.1.1  I consider that the information was withheld appropriately under
this section.  Section 31 can be claimed by any public authority, not just
those with law enforcement functions Section 31(g) is widely drafted and
along with S31(2) remains engaged.

3.2.1.2   Where we have considered that Section 31 is engaged we have also
considered the public interest in disclosure. Where information has been
withheld under Section 31 it is because the public interest in maintaining
the exemption currently outweighs the public interest in disclosing the
information.  The balance of the public interest has not shifted since the
initial decision was taken to withhold the information.

 

S31. Public Interest Test:

 

Arguments in favour of disclosure Arguments in favour of maintaining the
exemption
·         Promoting accountability o Disclosure would or would be
and transparency by public likely to introduce a ‘chilling
authorities for decisions taken by effect’ into the investigation of
them. potential wrongdoing.
o Disclosure would discourage others
·         Promoting accountability from cooperating with public
and transparency in the spending of authorities and supplying them
public money. with the information they need on
a voluntary basis.
o Reputational Damage to the Trust
o Relationship damage to trust by
current and potential future
employees.

.

3.2.2     Section 36 (Prejudice to the Conduct of Public Affairs)

3.2.2.1  On reconsideration of this matter our Chief Executive Officer has
concluded that Section 36 is engaged and we are relying upon Section 36 to
withhold the information requested.

3.2.2.2  Where we have ascertained that Section 36 is engaged we have also
considered the public interest in disclosure. Where information has been
withheld under Section 36 it is because the public interest in maintaining
the exemption currently outweighs the public interest in disclosing the
information.  The balance of the public interest has not shifted since the
initial decision was taken to withhold the information.

S36. Public Interest Test:

 

Arguments in favour of disclosure Arguments in favour of maintaining the
exemption
·         Promoting accountability o Disclosure would or would be
and transparency by public likely to introduce a ‘chilling
authorities for decisions taken by effect’ into the investigation of
them. potential wrongdoing.
o Disclosure would discourage others
·         Promoting accountability from cooperating with public
and transparency in the spending of authorities and supplying them
public money. with the information they need on
a voluntary basis.

 

4.         CONCLUSION

Following the Review I am not disclosing further information. 

If you are not content with the outcome of your complaint, you may apply
directly to the Information Commissioner for a decision.  The Information
Commissioner can be contacted at:

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

 

Yours sincerely

 

 

 

Steve Murray

Assistant Director of Corporate and Legal Affairs

 

 

show quoted sections

John Slater left an annotation ()

A complaint has now been submitted to the Information Commissioner challenging the engagement of S.31 (g) and S.36 by the Trust.

John Slater left an annotation ()

Unfortunately the ICO has issued a Decision Notice FS50676396 agreeing with the UHLT. I am going to appeal the Decision Notice to the First-Tier Tribunal.