Sub contractor details

The request was partially successful.

Dear Brighton and Sussex University Hospitals NHS Trust,

In relation to the recently issued fine from the ICO, Duncan Selbie is reported as saying

"We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives".

Please confirm the name of the above referenced experienced NHS IT service provider.
Please provide a copy of any contract or written agreement was in place that covered the safe disposal of the hard drives.

Mr Selbie has previously said
"We subcontracted the destruction of these hard drives to a registered contractor who subsequently sold them on eBay".

Please clarify if the "experienced NHS IT service provider to safely dispose of our redundant hard drives" is the same sub contractor who "subsequently sold them on ebay".

I note from a previous request http://www.whatdotheyknow.com/request/nh... that you did not provide the name of the contractor who Mr Selbie claimed you had sub contracted to destroy the hard drives. Your response indicated that name of the contractor was exempt as "personal data".

Further, please provide a copy of any contract or written agreement was in place that covered the disposal of the hard drives. You have previously indicated that such information was not held. Given Mr Selbie used the phrase "sub contracted" I would anticipate that a contract is held. If no contract is held please provide some advice and assistance as to why no contract is held. Mr Selbie described the person(s) who sold the hard drives on ebay as a "registered contractor". Please explain what is meant by the phrase "registered contractor".

Mr Selbie has also suggested "The Information Commissioner has ignored our extensive representations". Please provide these representations.

Finally, given Mr Selbie has consistently implied that the blame for this incident lies with external contractors, please provide all recorded information about any plans to recover any fine from the third parties to whom Mr Selbie attributes the blame.

If there are any public interest considerations, please take into account the significant public interest in the size of the fine and the confusion that might be inferred from Mr Selbie's slightly confusing accounts. In addition, I note Mr Selbie has himself called for transparency in this process by seeking full details under FOI for the size of the fine. I recognise that the matter is subject to an appeal, but given this suggests further use of public resources, I would argue that only heightens the public interest in disclosure.

Yours faithfully,

Ben Jones

Link: [1]File-List

Dear Ben Jones

I am writing to acknowledge your request for information under the Freedom
of Information (FOI) Act. Your request was received in our office on:
06/06/2012

We are considering your request and will reply more fully in due course.
Under the Freedom of Information Act, we have 20 working days in which to
respond.

Some information, however, might be withheld due to exemptions which are
allowed for by the Act. If this is the case, we will tell you that we have
withheld information and why.

If we can be of any further assistance to you in the meantime, please do
not hesitate to contact the Trust at: [BSUH request email]

Brighton and Sussex University Hospitals NHS Trust will make every effort
to respond to your request if possible. Our main aim and priority,
however, is to provide the best care possible to our patients. Our Trust
will not respond to any requests which are designed to distract staff from
their responsibilities. We appreciate your understanding.

Yours sincerely

Freedom of Information Office

Brighton and Sussex University Hospitals NHS Trust

 

This electronic message contains information from Brighton and Sussex University Hospitals NHS Trust, which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us immediately at [email address].

This Trust is committed to openness and transparency, and this commitment is supported by the Freedom of Information Act 2000. Under the Act, any recorded information held by the Trust, including this message, unless legally exempt, may be subject to public disclosure.

Activity and use of the Brighton and Sussex University Hospitals NHS Trust E-mail system is monitored to secure its effective operation and for other lawful business purposes. Communications using this system will also be monitored for viruses and other harmful material.

References

Visible links
1. file:///tmp/cid:filelist.xml@01CD43D3.9A3557C0

2 Attachments

Link: [1]File-List

 

Dear Mr Jones

Thank you for your recent request for information under the Freedom of
Information (FOI) Act 2000.

1.                     Your request

In your request you refer to a statement made by Duncan Selbie, Chief
Executive of Brighton and Sussex University Hospitals NHS Trust in
relation to the fine issued by the ICO.

You requested that the following be disclosed to you:

(a)                   the name of the "experienced NHS IT service
provider" referred to by Duncan Selbie;

(b)                   a copy of any contract or written agreement in place
that covered the safe disposal of the hard drives;

(c)                   clarification as to whether the experienced NHS IT
service provider to safely dispose of the redundant hard drives is the
same subcontractor who subsequently sold them on eBay;

(d)                   a copy of any contract or written agreement that was
in place that covered the disposal of the hard drives;

(e)                   in connection with the reference to the
representations made to the Information Commissioner, a copy of these
representations;

(f)                     all recorded information about any plans to
recover any fine from the third parties to whom Mr Selbie attributes the
blame.

This request has been handled under the Freedom of Information Act 2000
("FOIA").

2.                     Our response

Brighton and Sussex University Hospitals NHS Trust ("BSUH") is able to
provide you with the following the information:

(a)                   The "experienced NHS IT service provider" referred
to is Sussex Health Informatics Service (for ease of reference, "HIS").
This information is in the public domain and is referred to in the
monetary penalty notice issued by the ICO on 28 May 2012.

(b)                   The arrangements between BSUH and HIS were governed
by a NHS Contract and Service Level Agreements.  Copies of the relevant
materials that applied when the drives were sold on eBay are attached.

(c)                   The NHS IT service provider is not the same
subcontractor who subsequently sold the hard drives on eBay.

(d)                   We repeat our answer at (b) above. To address your
related question as to what is meant by the reference to a registered
contractor, in the context of the contractor who sold the drives on eBay,
it is understood that they were registered Waste contractors

(e)                   I confirm that we hold the information requested in
item (e) above but we are withholding this information because we consider
that the exemptions listed below apply.

(f)                     I confirm that we hold the information requested
in item (f) above but we are withholding this information because we
consider that the exemptions listed below apply.

3.                     Exemptions applied in relation to the request for
any representations made to the Information Commissioner (items  1(e) and
(f) above)

Section 32 (1)

In relation to item in 1(e), the information is exempt as it is held by
virtue of being contained in a document served by a public authority for
the purpose of proceedings in a particular cause or matter. This is an
absolute exemption.

Section 42(1)

In relation to the items in 1(e) and 1 (f), the information is exempt on
the basis that a claim to legal professional privilege could be
maintained.

We have considered in all the circumstances of the case whether the public
interest in maintaining the exemption outweighs the public interest in
disclosing the information. We appreciate the arguments around
transparency in decision making by public authorities. However, in this
instance, we consider that the public interest in maintaining the
exemption outweighs the public interest in disclosure.

Section 31 (1) (c)

In relation to items 1(e) and 1 (f), the information is exempt on the
basis that the release of the information requested would, or would be
likely to, prejudice the administration of justice. 

We have also considered in all the circumstances of the case whether the
public interest in maintaining the exemption outweighs the public interest
in disclosing the information. We appreciate the arguments around
transparency in public authority decision making, however, in this
instance, we consider that there is a strong public interest in
maintaining the exemption in this case. In particular, there is a strong
public interest in not prejudicing the regulatory activity of the
Information Commissioner in this and other similar cases and also the
position of BSUH in its dealings with the Information Commissioner.

Section 40 (2)

In relation to items 1(e) and 1 (f), the information requested contains
personal data which is exempt under s 40 (2), the disclosure of which
would contravene the first data protection principle. We do not consider
that it would be within the reasonable expectations of the individuals
referred to in the requested information that personal data about them
would be disclosed.

Section 36 (2) (c)

In relation to items 1(e) and 1 (f), we also consider that the release of
the information requested would in the reasonable opinion of a qualified
person, otherwise prejudice, or would be likely otherwise to prejudice,
the effective conduct of public affairs.

We have also considered in all the circumstances of the case whether the
public interest in maintaining the exemption outweighs the public interest
in disclosing the information. Although we recognise the arguments around
transparency in decision making by public authorities, we consider that in
this instance there is a strong public interest in not disclosing the
information and in not prejudicing the position of BSUH with regard to the
conduct of this matter.

Section 41

In relation to item 1 (f), some of the information requested was obtained
by BSUH from a third party in circumstances in which the disclosure by
BSUH would constitute an actionable breach of confidence.

4.                     Additional points made in the FOIA request

In your email you also made the point that in a previous request BSUH did
not provide the name of the contractor to which BSUH had sub-contracted to
destroy the hard drives. You commented that the BSUH response indicated
that name of the contractor was exempt because it is personal data. To
clarify, the sub-contractor who sold the drives on eBay was engaged by HIS
and we can confirm that we still regard the identity of the individual
concerned as being exempt under s 40(2) of FOIA.

You also require BSUH to provide advice and assistance as to why no
contract was held.  No written contract is held by BSUH, because HIS made
the arrangements with the sub-contractor.

Please note that any information provided by this Trust is for your
personal use and not for resale or use for profit in any way under the
Re-use of Public Sector Information Regulations 2005.

If you require clarification or if we can be of any further assistance to
you, please do not hesitate to contact us at: [BSUH request email]

If you are dissatisfied with the outcome of your enquiry, you have the
right to appeal. The address of our FOI Review Department is:

Brighton and Sussex University Hospitals NHS Trust
FOI Review
Central Information Unit - D Block
Brighton General Hospital
Elm Grove
Brighton BN2 3EW

If you are still not satisfied with the outcome of your appeal, you can
write to:

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 01625 545700

We hope that you find the information provided helpful.

Yours sincerely

Freedom of Information Office

Brighton and Sussex University Hospitals NHS Trust

 

 

This electronic message contains information from Brighton and Sussex University Hospitals NHS Trust, which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us immediately at [email address].

This Trust is committed to openness and transparency, and this commitment is supported by the Freedom of Information Act 2000. Under the Act, any recorded information held by the Trust, including this message, unless legally exempt, may be subject to public disclosure.

Activity and use of the Brighton and Sussex University Hospitals NHS Trust E-mail system is monitored to secure its effective operation and for other lawful business purposes. Communications using this system will also be monitored for viruses and other harmful material.

References

Visible links
1. file:///tmp/cid:filelist.xml@01CD5A94.3886CB30

Dear FOI,

Thank you for your response.

Id be grateful if you could clarify a couple of points.

You have provided a Service Level Agreement and indicated this "applied when the drives were sold on eBay". The agreement appears to only be valid from "April 2009 March 2010" - could you clarify as the press reports have suggested the incidents in question occured after this date?
Could you also clarify what the relationship/nature of the "NHS contract" is - I cannot see it involves BSUH?

In light of your explanation of the relationships of the key parties, I would observe that Mr Selbie's public statement in January 2012 that "We subcontracted the destruction of these hard drives to a registered contractor who subsequently sold them on eBay" is misleading.

It appears that you had no knowledge of, or relationship with, the individual who sold the hard drives,yet used the phrase "we subcontracted..."
It will help my consideration of whether to appeal your use of exemptions if you could explain if that statement is still considered accurate?

Basically Mr Selbie and the Trust have been very outspoken in this matter, seemingly not accepting any responsbility and challenging the findings of the ICO. Indeed, the above statement attributed to Mr Selbie was as part of his reason for appealling the ICO fine.

If the Trust maintains that position, I think the public interest arguments become open to further challenge - especially as I have been unable to identify a single expression of remorse or apology to the individuals whose data was lost - or indeed your patients who will now, according to yourselves, find their care compromised as a result of the fine.

I note the above response was outside of the statutory timeframes - although this is not a major concern, it would certainly be helpful if you could give a timeframe as to when you might be able to respond to my follow up queries.

Yours sincerely,

Ben Jones