Home Decisions

Decision 223/2024

Decision 223/2024: Correspondence regarding patient safety concerns

Authority:  Healthcare Improvement Scotland
Case Ref:  202400641

Summary

The Applicant asked the Authority for information, including correspondence, concerning referrals from clinicians at a named hospital, relating to concerns about patient safety in the Emergency Department.  The Authority disclosed some information and withheld the remainder under various exemptions in FOISA.  The Applicant was dissatisfied as a specific letter had not been disclosed.  The Authority had withheld the letter as it was considered to be confidential, and its disclosure would otherwise prejudice 
substantially, or be likely to prejudice substantially, the effective conduct of public affairs.

During the investigation, the Authority changed its position and fully disclosed the letter, with the exception of one email address which it continued to withhold.  The Commissioner found that, with the exception of the remaining withheld information, the Authority had not been entitled to withhold the letter under the exemptions claimed.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(b) (Effect of exemptions); 30(c) (Prejudice to effective conduct of public affairs); 36(2) (Confidentiality); 47(1) and (2) (Application for decision by Commissioner)

Background

1. On 15 January 2024, the Applicant made the following request for information to the Authority:

1) Any referral to [the Authority] from clinicians at [a named hospital], relating to concerns around patient safety in the Emergency Department over the last 18 months.

2) All documentation and correspondence between [the Authority], [the Authority’s] Chief Executive Officer, [a named authority] and the clinicians relating to any such referral, whether the case is active or closed.

2. The Authority responded on 12 February 2024.  It provided the Applicant with some information which it made available to him via a secure file-sharing site.  The Authority explained that, to maintain the privacy of individuals and minimise the potential for identification, some information had been redacted under section 38(1)(b) (Personal information) of FOISA.  The Authority withheld some information, considered to have a quality of confidence, under section 36(2) of FOISA.  It also withheld some information under section 30(c) of FOISA as it considered disclosure would otherwise prejudice substantially, or be likely to prejudice substantially, the effective conduct of public affairs where the public interest favoured withholding the information.

3. On 28 March 2024, the Applicant wrote to the Authority requesting a review of its decision.  The Applicant stated that he was dissatisfied with the decision because he believed the response should have included a specific letter from the Authority to the named hospital’s consultants.  The Applicant explained that the letter detailed events reported in the media earlier that week and was written in response to previous correspondence from the consultants complaining about how the Authority had investigated their referral raising concerns about patient safety.  The Applicant asked the Authority to explain why this letter was not included in its response of 12 February 2024.

4.    The Authority notified the Applicant of the outcome of its review on 25 April 2024 upholding its original decision.  It confirmed that the specific letter referred to had not been provided in its initial response, as it was withheld from disclosure under the exemptions in section 30(c) and section 36(2) of FOISA, for the reasons previously stated.  The Authority’s review concluded that, while the information in question ought to have been provided in a redacted format, all content was necessarily redacted given its confidential nature, and so the document had not been disclosed with its review outcome.

5. On 7 May 2024, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  The Applicant stated that he was dissatisfied with the outcome of the Authority’s review because he believed there was a clear public interest in disclosure of the content of the letter.  The Applicant stated that the letter was an apology to the consultants after the Authority had failed to properly investigate their concerns about patient safety.  He explained that, when its content was 
subsequently revealed in the media, it led to further public apologies from the Authority and promises of systematic change in how it handled referrals.  In the Applicant’s view, the Authority did not disclose the letter due to embarrassment.

Investigation

6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.

7. On 31 May 2024, the Authority was notified in writing that the Applicant had made a valid application.  The Authority was asked to send the Commissioner the information withheld from the Applicant.  The Authority provided the information and the case was subsequently allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  On 2 July 2024, the Authority was invited to comment on this application and to answer specific questions.  These focussed on the Authority’s justification for withholding the letter under the exemptions in section 30(c) and section 36(2) of FOISA.  Given that certain of the content of the letter had been made public through an online news article, which suggested that the media company was in possession of the letter, the Authority was asked to explain what additional harm would, or would likely, be caused by disclosure of the letter in response to the Applicant’s request.

9. The Applicant was also invited to comment on why he believed disclosure of the letter was in the public interest.

10. On 4 July 2024, the Authority confirmed that it had reconsidered its position.  As a regulator, the Authority affirmed the importance of ensuring confidentiality for complainants and whistle-blowers.  It recognised however that, in this case, at least some of the consultants (to whom the letter was addressed) appeared to have gone to the media with their concerns and the Authority’s letter.  The Authority explained that, having consulted with the complainants to ascertain whether they had any concerns about 
disclosure of the letter, it was now content to disclose the letter with the exception of one email address (withheld under section 30(c)) and one signature (withheld under section 38(1)(b)).  The Authority disclosed the letter, with these redactions, to the Applicant on 5 July 2024.

11. Following receipt of the Authority’s further response and disclosure, the Applicant made the Commissioner aware that he had held an unredacted version of the letter for some time, a point which, he believed, was academic since its content had been fully reported in the media.  The Applicant stated that his complaint was not about the letter, but about the Authority’s apparent concealment of it in response to his information request.

12. On 16 July 2024, the Authority again reconsidered its position in relation to the signature previously withheld under section 38(1)(b) which, it confirmed, it was no longer withholding.  It disclosed the letter to the Applicant that same day, now withholding only one email address under section 30(c) of FOISA.

Commissioner’s analysis and findings

13. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.

The Authority’s change of position during the investigation

14. As explained above, during the investigation, the Authority provided submissions to the effect that, with the exception of one email address, the letter which had 
originally been withheld could now be disclosed.  The Authority disclosed this information to the Applicant on 5 and 16 July 2024.

15. By way of background, the Authority explained that it was a prescribed body under the Public Interest Disclosure Act 1998 (PIDA) and the letter in question was the Authority’s response to the cohort of clinicians who had raised concerns under PIDA about patient safety and quality of care, and the Authority’s handling of the case.  The Authority stated that it took seriously its responsibilities under PIDA, and recognised the importance of ensuring confidentiality for complainants and whistle-blowers, and 
assurance for stakeholders, that they may raise concerns without unfair exposure.

16. The Authority recognised that at least some of the complainants may have approached the media, although this was not confirmed.  Information relating to the case and the Authority’s handling of it had entered the public domain through media coverage, which included extracts of the letter in question.  The Authority acknowledged that, at review stage, had it given fuller consideration to external media events and had approached the consultant body (to whom the information related) at that point, its decision-making may have changed.  It maintained that its focus, at review, was on protecting the integrity of the confidential processes associated with the subject matter, and not on minimising any “embarrassment” as claimed by the Applicant.

17. The Authority explained that, in an attempt to resolve the Applicant’s application to the Commissioner, it had contacted the consultant body regarding disclosure of the letter and they did not object to its disclosure.

18. Following disclosure of the letter (with minor redactions) to the Applicant, the Authority stated that the Applicant had informed it that he wished to continue with his appeal and, at the same time, that he already had a copy of the letter in his possession.  The Authority confirmed that it was not aware of how the Applicant had obtained the letter.

19. The Authority confirmed that, with the exception of one email address (which it continued to withhold under section 30(c)), it was no longer relying on any exemptions to withhold the information now disclosed and that it now considered it had been incorrect to withhold this information at review stage.

20. In light of the Authority’s change of position, the Commissioner will now go on to consider the Authority’s application of the exemptions claimed at review stage for the information contained in the letter.

Section 36(2) - Confidentiality

21. Section 36(2) of FOISA provides that information is exempt if it was obtained by a Scottish public authority from another person (including another such authority) and its disclosure, by the authority so obtaining it, to the public (otherwise than under FOISA) would constitute a breach of confidence actionable by that person or any other person.  Section 36(2) is an absolute exemption and is not, therefore, subject to the public interest test in section 2(1)(b) of FOISA.  However, it is generally accepted in common law that an obligation of confidence will not be enforced to restrain the disclosure of information which is necessary in the public interest.

22. In its submissions, the Authority recognised that the letter in question was from the Authority and that section 36(2) applied to information provided in confidence to an authority.  It noted, however, that even confirming the existence of a letter or response to a complaint would confirm that a complaint had been received and, more specifically, that parts of the letter reflected the information provided by the complainants.  The Authority confirmed that while it had set aside the section 36(2) exemption in this case, it maintained that, in general, it was possible for parts of a letter of response to a complaint to contain information provided in confidence by a complainant.

23. The Authority submitted that, given that some of the consultant body had apparently waived their confidentiality by sharing information with the media, had [the Authority] confirmed that this was the case [at review stage], it would have disapplied section 36(2) to the substance of the letter.  For this reason, the Authority confirmed that this exemption had been wrongly applied at review stage.

24. Having considered the Authority’s submissions on this exemption, including its change of position, the Commissioner can only conclude that the Authority was not entitled to withhold the information in the letter under section 36(2) of FOISA at review stage, and therefore breached section 1(1) in doing so.

Section 30(c) – Prejudice to effective conduct of public affairs

25. Section 30(c) of FOISA provides that information is exempt information if its disclosure would otherwise prejudice substantially, or be likely to prejudice substantially, the effective conduct of public affairs.  This exemption is subject to the public interest test in section 2(1)(b) of FOISA.

26. The word "otherwise" distinguishes the harm required from that envisaged by the exemptions in sections 30(a) and (b).  This is a broad exemption and the Commissioner expects any public authority applying it to show what specific harm would (or would be likely to) be caused to the conduct of public affairs by disclosure of the information, and how that harm would be expected to follow from disclosure.

27. There is no definition of "substantial prejudice" in FOISA, but the Commissioner considers the harm in question would require to be of real and demonstrable significance.  The authority must also be able to satisfy the Commissioner that the harm would, or would be likely to, occur: therefore, the authority needs to establish a real risk or likelihood of actual harm occurring as a consequence of disclosure at some time in the near (certainly the foreseeable) future, not simply that the harm is a remote possibility.

The Authority’s submissions on section 30(c)

28. The Authority recognised that its arguments for applying this exemption, i.e. that disclosure of a complaint response would be likely to dissuade whistle-blowers and complainants from approaching the Authority in confidence, was fundamentally weakened where the complainants had decided to publicise their complaint.  It did not accept, however, that its decision to withhold information under section 30(c) was due to any “embarrassment”, rather it was a decision made to protect the processes which enable 
complainants and whistle-blowers to approach the Authority with confidence.

29. The Authority acknowledged that it had not fully considered, at review, the apparent disclosure to the media by some of the complainants.  Having reconsidered its position as part of the appeal process, including contacting the consultant body regarding disclosure of the letter (who had not objected to its disclosure), the Authority accepted that additional harm was unlikely and had since released the substantive content of the letter to the Applicant.

30. The Authority confirmed that it did not wish to maintain reliance on section 30(c) for the letter as a whole.  Having reconsidered its wider application of the exemption, and having disclosed the content of the letter to the Applicant, it confirmed that it wished to continue to rely on section 30(c) to withhold only an internal email address of another health authority.

31. In its submissions, the Authority stated that it refrained from publishing internal email addresses not already in the public domain.  It explained that email addresses allowing contact for clinical and information purposes were published, and this allowed healthcare staff to carry out operational business without interruption and ensured that queries were handled by the appropriate staff and channels.  As the email address in question was used for direct internal contact with medical secretaries in 
the relevant department, the Authority considered that public disclosure would be likely to substantially prejudice the effective conduct of clinical services within that team, by allowing unauthorised external communication with that account.  Given that medical secretaries and healthcare teams were already under considerable work pressure, public disclosure of this email address would add to their workload, requiring additional resource in triaging a mailbox for public and external communications not presently 
required.

32. In the Authority’s view, public disclosure of this email address, allowing use of it by patients and members of the public, would significantly increase the risk of patient communications and data being inappropriately routed, with potential for delays to healthcare and negative impacts both on the efficiency of the service and on patient safety.

33. In addition, and noting that health organisations were subject to increasing volumes of phishing attacks (some of which were highly targeted), with criminals actively spoofing genuine email accounts, the Authority argued that disclosure of an internal email address such as this would make it a target for phishing emails and would enable the spoofing of the account for wider attacks.

34. In the Authority’s view, withholding the email address would preserve the operational business processes associated with it.

The Commissioner’s view on section 30(c)

35. The Commissioner has considered the Authority’s submissions and its change of position.  For the information in the letter, previously withheld under section 30(c) which the Authority disclosed to the Applicant during his investigation, the Commissioner can only conclude that the Authority was not entitled to withhold that information under section 30(c) of FOISA at review stage, and therefore breached section 1(1) in doing so.

36. Given that the Commissioner does not accept the application of the exemption for that information, he is not required to consider the public interest in section 2(1)(b) for the information previously withheld by the Authority under section 30(c) which it has since disclosed to the Applicant.

37. For the email address which the Authority continued to withhold under section 30(c), the Commissioner notes that this does relate to an internal email address which could be used to contact administrative staff in another health authority.  He recognises that this exists to provide an internal channel of communication to and from those staff.

38. The Commissioner accepts that, if this email address was made public as the result of disclosure under FOISA, it could allow use by the public to contact staff rather than using the contact details which are publicly available, and which are set up for that particular purpose.  He recognises that this, in turn, would impact on the ability of the other health authority to be able to work effectively and follow relevant internal and external communication processes.

39. For these reasons, the Commissioner accepts that disclosure of the internal email address would have the effect of prejudicing substantially the other health authority from being able to protect their internal and external communication processes.  As a consequence, the Commissioner is satisfied that the Authority was entitled to rely on the exemption in section 30(c) of FOISA to withhold this information.

40. As the Commissioner is satisfied that the Authority was entitled to rely on section 30(c) to withhold this information, he must now go on to consider the public interest test in section 2(1)(b) of FOISA.

Public interest test – section 30(c)

41. As noted above, the exemption in section 30(c) is subject to the public interest test required by section 2(1)(b) of FOISA.

42. In its submissions to the Commissioner, the Authority recognised the public interest in openness and transparency.  It also recognised the public interest in patients and members of the public being able to communicate easily with health organisations.  However, the Authority argued that this interest was best met by the appropriate use of the communication channels provided for that purpose.

43. The Authority believed there was a strong public interest in:

  • protecting the resources and efficiency of the health service in Scotland, and in ensuring clinical resources were not unnecessarily diverted;
  • protecting the cyber security of all public services and, in particular, the territorial health boards in Scotland, given the criticality of their services to the public and the sensitivity of the data that they hold, and
  • maintaining efficient and effective business processes, particularly around health data.

44. On balance, the Authority considered the protection of healthcare systems and data, and of resources, outweighed the public interest in transparency, particularly since the public are already amply provided with appropriate points of contact for that health authority.

The Commissioner’s views on the public interest test – section 30(c)

45. The Commissioner has considered the submissions, along with the remaining information withheld under section 30(c).  He recognises that there is a general public interest in disclosing information held by Scottish public authorities.

46. However, the Commissioner has already accepted that disclosure of this information would provide opportunity for unnecessary disruption and substantially prejudice the ability of the other health authority to effectively conduct its business.  He also considers that the public interest in disclosure of this particular information is met, to some extent, by the existing routes for public contact.

47. On balance, therefore, the Commissioner concludes that the public interest in maintaining the exemption outweighs that in disclosure in respect of the remaining information withheld under section 30(c).  Accordingly, he finds that the Authority was entitled to withhold this information under section 30(c) of FOISA.

Decision

The Commissioner finds that the Authority partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.

The Commissioner finds that the Authority complied with Part 1 of FOISA by correctly withholding some information (an email address) under the exemption in section 30(c) of FOISA.

However, the Commissioner also finds that the Authority failed to comply with Part 1 by incorrectly withholding the remaining information in the letter at review stage under the exemptions in section 30(c) and section 36(2) of FOISA and, in so doing, failed to comply with section 1(1) of FOISA.

Given that the Authority has already disclosed this information to the Applicant during his investigation, the Commissioner does not require the Authority to take any action in respect of this failure in response to the Applicant’s application.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

David Hamilton
Scottish Information Commissioner

07 October 2024