Decision 036/2012 Rab Wilson and Ayrshire and Arran Health Board

Critical Incident Reviews, Significant Adverse Event Reports and action plans

Reference No: 201100433
Decision Date: 21 February 2012

Summary

Rab Wilson asked Ayrshire and Arran NHS Board (NHS Ayrshire and Arran) for copies of all Critical Incident Reviews (CIRs) and Significant Adverse Event Reports (SAERs) carried out by NHS Ayrshire and Arran since January 2005, and for the action plans derived from the CIRs and SAERs.NHS Ayrshire and Arran refused to disclose the CIRs and SAERs to Mr Wilson, on the basis that they were, in their entirety, exempt from disclosure.NHS Ayrshire and Arran advised Mr Wilson that it did not hold any CIR action plans (with the exception of one plan which he had already been given).NHS Ayrshire and Arran also refused to provide copies of the SAER action plans, as they were to be published within 12 weeks, and NHS Ayrshire and Arran considered that they were exempt from disclosure.

Following a review, as a result of which NHS Ayrshire and Arran deemed the majority of Mr Wilson's request to be vexatious and repeat in terms of section 14 of FOISA, Mr Wilson applied to the Commissioner for a decision.

Following an investigation, the Commissioner concluded that Mr Wilson's request was neither vexatious nor repeat.He ordered NHS Ayrshire and Arran to provide anonymised versions of the CIRs and SAERs to Mr Wilson.Although some of the contents of the reports were exempt from disclosure (for example because they contained sensitive personal data), the Commissioner concluded that it was possible to redact the reports in such a way that patients, etc. could not be identified.Failure to provide redacted copies of the reports was a breach of section 1(1) of FOISA.

During the investigation, NHS Ayrshire and Arran located a large number of CIR action plans falling within the scope of Mr Wilson's request; as a consequence, the Commissioner found that NHS Ayrshire and Arran had been wrong to advise Mr Wilson that it did not hold any such plans.

He also found that the exemption in section 27(1) did not apply to the SAER (or CIR) action plans; while "learning summaries" of the plans were published by NHS Ayrshire and Arran during the investigation, the Commissioner was not satisfied that it had intended to publish the plans when Mr Wilson made his information request.In any event, the learning summaries which had been published did not contain the same information as the action plans

The Commissioner therefore ordered NHS Ayrshire and Arran to provide Mr Wilson with anonymised versions of the CIR and SAER action plans.

In the decision, the Commissioner also expresses significant concerns about the handling of Mr Wilson's request and about NHS Ayrshire and Arran's records management practices in relation to CIRs and SAERs and their action plans.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (4) and (6) (General entitlement); 2(1) and (2)(e)(ii) (Effect of exemptions); 14 (Vexatious or repeated requests); 17(1) (Notice that information is not held); 25(1) (Information otherwise accessible); 26(a) (Prohibition on disclosure); 27(1) (Information intended for future publication); 30(c) (Prejudice to effective conduct of public affairs); 38(1)(b) and (d), (2)(a)(i) and (b), (5) (definitions of "the data protection principles", "data subject", personal data" and "health record"), 36(2) (Confidentiality); 44 (Recommendations as to good practice); 65 (Offence of altering etc. records with intent to prevent disclosure)

Data Protection Act 1998 (the DPA) sections 1(1) (definition of "personal data") (Basic interpretative provisions); 2(e),(g) and (h) (Sensitive personal data); Schedule 2: Conditions relevant for purposes of the first principle: processing of any personal data (conditions 1 and 6); Schedule 3: Conditions relevant for purposes of the first principle: processing of sensitive personal data (condition 1)

Access to Health Records Act 1990 section 1(1)(a) and (b) ("Health record" and related expressions)

Human Rights Act 1998 section 6(1) (Acts of public authorities)

European Convention on Human Rights article 8 (Right to respect for private and family life)

The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision. The Appendix forms part of this decision.

Background

1.This decision relates to a request involving Critical Incident Reports (CIRs) and Significant Adverse Event Reports (SAERs), and the action plans following on from such reports, held by NHS Ayrshire and Arran.The Commissioner understands from the NHS Scotland website^[1] that such reports are used in the primary care field as a structured way of investigating incidents, improving patient care and safety and minimising risk.Significant event analysis involves working as a team to review events and act on what happened, why it happened, what has been learned and what has changed.

2.This decision focuses on a request which Mr Wilson, an employee of NHS Ayrshire and Arran, made on 10 February 2011 for copies of CIRs and SAERs completed since January 2005, together with the action plans arising out of the reports.However, to put the request into context, it is useful to look back at the background to Mr Wilson's request.

3.In September 2006, a patient absconded from a hospital run by NHS Ayrshire and Arran.NHS Ayrshire and Arran subsequently carried out an investigation, on the conclusion of which a CIR was completed and an action plan was developed to address any issues which had been highlighted in the CIR.

4.Mr Wilson requested a copy of the CIR, as he was concerned that erroneous information had been provided to the investigation team.However, he was not provided with a copy. Mr Wilson's request does not appear to have been treated at this stage as a request under FOISA, and it is unclear whether Mr Wilson intended his request to be treated as such.(According to Mr Wilson, it was common practice at this time for NHS Ayrshire and Arran to allow staff involved in an incident to view the CIR.NHS Ayrshire and Arran's "Adverse Incident Policy and Supporting Procedures", which came into effect at the end of 2006, certainly said that anonymised copies of reports would be provided to all members of staff involved in the incident.Matters were not so clear in the previous policy, "Adverse Incident Management Policy", which stated that it was up to the "Relevant Director" to decide which individuals will receive the incident investigation report.)

5.Mr Wilson made a further request for a copy of the CIR at the start of 2007.A number of meetings took place between NHS Ayrshire and Arran and Mr Wilson and, seven months later, NHS Ayrshire and Arran wrote to Mr Wilson to advise him that his request was being processed under FOISA.

6.A redacted version of the report was subsequently provided to Mr Wilson, although Mr Wilson later obtained a full copy of the CIR.Mr Wilson then contacted NHS Ayrshire and Arran about inaccuracies in the CIR, leading to the events surrounding the CIR being revisited and an addendum being added.Mr Wilson was told he would be given a copy of the changes to the report in his capacity as an employee of NHS Ayrshire and Arran, but this did not happen and he made a further request to NHS Ayrshire and Arran for a copy of the amended CIR in 2009.

7.NHS Ayrshire and Arran considered that it would be inappropriate to provide Mr Wilson with a copy of the amended report in his capacity as an employee and treated his request as a request under FOISA.The report was initially withheld in its entirety in 2009 although, following an application to the Commissioner, NHS Ayrshire and Arran offered to provide Mr Wilson with a copy of the addendum, but with personal data redacted.

8.Further correspondence took place between Mr Wilson and NHS Ayrshire and Arran, leading to a request by Mr Wilson in early February 2010 for details about the CIRs, including how many CIRs had been held since September 2006.Mr Wilson was advised that 32 CIRs had been compiled since that date.

9.In October 2010, Mr Wilson asked NHS Ayrshire and Arran how many of these reports had been supplied to members of staff who were directly involved in the incidents.He also asked how many action plans had been completed and implemented in the places where the events took place.

10.NHS Ayrshire and Arran advised Mr Wilson, in line with section 17(1) of FOISA, that it did not hold this information.However, it also advised him that, since reviewing its processes in April 2010, 10 full SAERs had been called.NHS Ayrshire and Arran also provided Mr Wilson with the numbers of completed SAERs, etc.

11.Mr Wilson subsequently made an application to the Commissioner, as he did not believe that NHS Ayrshire and Arran did not know how many action plans had been completed and implemented.Mr Wilson later withdrew the application, on being advised that NHS Ayrshire and Arran, having given details of the searches it had carried out to determine whether it held information relating to the CIRs, had told the investigating officer that it did not hold the action plans he had asked for.

12.On 3 February 2011, Mr Wilson wrote to NHS Ayrshire and Arran asking for all of the CIRs (and the action plans derived from those CIRs), carried out by NHS Ayrshire and Arran since January 2005.In subsequent correspondence with NHS Ayrshire and Arran (10 February 2011), Mr Wilson clarified that he also wanted copies of all SAERs carried out since January 2005 and the action plans derived from these.

13.NHS Ayrshire and Arran responded on 2 March 2011, advising Mr Wilson that the CIRs and SAERs were, in their entirety, exempt from disclosure under section 38(1)(b) of FOISA (this exempts personal data from disclosure where disclosure would breach one or more of the data protection principles contained in the Data Protection Act 1998 (the DPA)).

14.NHS Ayrshire and Arran also advised Mr Wilson, in line with section 17(1) of FOISA, that it did not hold any CIR action plans with the exception of the one CIR which Mr Wilson had previously been given in September 2007.

15.As regards the SAER action plans, NHS Ayrshire and Arran advised Mr Wilson that, as part of its commitment to ensuring an open and transparent management of the SAER process, it planned to make SAER action plans available to the public by publishing them on its website (subject to the removal of any identifiable information).As NHS Ayrshire and Arran expected that the information would be published on its website within the next 12 weeks, it advised Mr Wilson that the SAER action plans were exempt from disclosure under section 27(1) of FOISA.

16.Mr Wilson was not satisfied with this response and, later the same day, wrote to NHS Ayrshire and Arran requiring it to review its decision. He commented that he believed that NHS Ayrshire and Arran had failed to adhere to its own policy on CIR reports over a number of years and that it had failed to provide action plans or feedback from CIRs to staff, which may have led to staff and patients being put at risk.

17.NHS Ayrshire and Arran subsequently carried out a review, notifying Mr Wilson of the outcome on 8 March 2011.It advised Mr Wilson that it now considered his request to be both vexatious (in terms of section 14(1) of FOISA) and repeat (in terms of section 14(2) of FOISA).It commented that it believed that it had responded openly and fairly to Mr Wilson's current, and previous, information requests and that it had supplied information when appropriate and available.

18.NHS Ayrshire and Arran also advised Mr Wilson that it had already been made clear to him that the CIR and SAER reports were entirely exempt from disclosure and that it did not hold any CIR action plans, with the exception of the one plan already provided to him.

19.However, the notice also advised Mr Wilson that NHS Ayrshire and Arran did not regard his request for a copy of the SAER action plans as vexatious, in that the request was for different information about a new process.However, it remained of the view that the SAER action plans were exempt from disclosure under section 27(1) of FOISA.

20.Mr Wilson remained dissatisfied with the response and, on 11 March 2011, wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.He denied that his request was repeat or vexatious and stated that NHS Ayrshire and Arran should hold full copies and redacted copies of the CIRs he had asked for (this point is addressed below; part of NHS Ayrshire and Arran's reasons for finding Mr Wilson's request to be vexatious was the significant burden involved in responding to his request).Mr Wilson also commented that NHS Ayrshire and Arran should hold copies of the CIR action plans.

21.Mr Wilson stated that he understood that the CIR reports are confidential and said he would expect to be provided with copies of the reports, with personally identifiable material redacted.(Mr Wilson did not ask NHS Ayrshire and Arran for anonymised copies of the reports and it is not clear to the Commissioner what Mr Wilson understands "with personal identifiable material redacted" to mean. If interpreted too broadly it could cause the redaction of information which Mr Wilson clearly expects to remain in the reports.As such, the Commissioner will consider the reports in their entirety.)

22.Mr Wilson also expressed his extreme concern that NHS Ayrshire and Arran had not adhered to its policy for CIRs over a period of years, saying that people were never given copies of CIR reports and action plans were not implemented. Consequently, in his view, patients and staff may have been put at risk due to management's failure to comply with NHS Ayrshire and Arran's policy.

23.The application was validated by establishing that Mr Wilson had made a request for information to a Scottish public authority and had applied to the Commissioner for a decision only after asking the authority to review its response to that request. The case was then allocated to an investigating officer.

Investigation

24.On 6 April 2011, NHS Ayrshire and Arran was notified in writing that an application had been received from Mr Wilson, was given an opportunity to provide comments on the application (as required by section 49(3)(a) of FOISA) and was asked to respond to specific questions. In particular, NHS Ayrshire and Arran was asked to justify its reliance on any provisions of FOISA it considered applicable to the information requested and was asked to provide details of searches undertaken to determine if NHS Ayrshire and Arran held any CIR action plans other than the one previously provided to Mr Wilson.

25.In later correspondence with the investigating officer, NHS Ayrshire and Arran decided that it no longer wished to rely on section 14 of FOISA (vexatious or repeat requests). However, NHS Ayrshire and Arran advised the Commissioner that it wished to apply a number of other exemptions to the information and these are all addressed below.

26.The relevant submissions received from both NHS Ayrshire and Arran and Mr Wilson will be considered fully in the Commissioner's analysis and findings below.

Commissioner's analysis and findings

27.In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the submissions made to him by both Mr Wilson and NHS Ayrshire and Arran and is satisfied that no matter of relevance has been overlooked.

The information held by NHS Ayrshire and Arran

28.A great deal of time has been spent in this investigation trying to ensure that NHS Ayrshire and Arran had located all of the information which fell within Mr Wilson's request.(In terms of section 1(4) of FOISA, the information which Mr Wilson is entitled to receive, subject to exemptions and other exceptions which are not relevant here, is the information held by NHS Ayrshire and Arran at the time it received Mr Wilson's request.)

Redacted versions of the CIRS

29.As noted above, NHS Ayrshire and Arran initially advised Mr Wilson that it did not hold any redacted versions of the CIRs.Mr Wilson had understood that NHS Ayrshire and Arran would hold redacted versions, given that its policy, in place from November 2006 until January 2011, (Adverse Incident Policy and Supporting Procedures) said, at page 20:

"An anonymised copy of the report will be provided to all members of staff involved in the incident."

30.However, NHS Ayrshire and Arran advised the Commissioner that the only redacted CIR it held was the one provided to Mr Wilson outwith the terms of FOISA (and prepared for that purpose).NHS Ayrshire and Arran noted that it had changed its policy from January 2011, and that the current version of its Adverse Event Policy and Supporting Procedures states, at page 27:

"Once a [sic] an adverse event review has been completed, the report has to be distributed to ensure organisational learning takes place, while assuring the organisation that governance requirements are being met.

Access to all significant adverse event reports and associated summaries and action plans should be requested through the Head of Governance Support, Healthcare Quality, Governance and Standards Unit.

A full copy of the report will not be issued to any individual, either patients, relatives or staff members, without the explicit authorisation of either the Executive Medical or Executive Nurse Director."

31.Following correspondence with NHS Ayrshire and Arran, the Commissioner is satisfied that it does not in fact hold anonymised copies of the CIRs, despite the terms of its policy.The principal versions of the CIRs do not generally name patients or the staff who were involved in the incident leading to the CIR, etc. so, to a certain extent, the principal CIRs have themselves been anonymised.However, the Commissioner has concluded that these are not the "anonymised cop[ies] of the report" referred to in the procedures, which, if they had existed, would have been capable of being provided to the members of staff involved in the incidents.

CIR action plans

32.As noted above, NHS Ayrshire and Arran advised Mr Wilson that it held only one CIR action plan.In response to the letter from the investigating officer dated 6 April 2011, asking what searches it had carried out to determine whether it held any such action plans, NHS Ayrshire and Arran repeated that it held no such action plans, other than the one already provided to Mr Wilson.NHS Ayrshire and Arran referred the investigating officer to a letter which it had sent to the Commissioner on 1 February 2011 in relation to an earlier application made by Mr Wilson where it explained the searches it had carried out to try to locate the action plans.

33.At that time, NHS Ayrshire and Arran had advised the investigating officer that:

all paper files were accessed and physically inspected for information; this is what had led to the 32 CIRs being identified

all documentation available for the 32 CIRs had been reviewed to try to identify if any action plans were available

an electronic search had been undertaken using the code numbers or patient names for the 32 CIRs to try to identify any available information

staff who had previously worked within the Clinical Governance Unit had been asked if they knew of the availability of such action plans

34.However, according to NHS Ayrshire and Arran, these searches did not identify any additional CIR action plans.

35.NHS Ayrshire and Arran had also told the Commissioner that, prior to SAERs being introduced, CIR action plans were not always required to be undertaken and information as to whether a CIR action plan was created or implemented was not routinely recorded.

36.However, given the potentially serious nature of the incidents which give rise to CIRs, the Commissioner's investigating officer in this case challenged NHS Ayrshire and Arran's position. She referred NHS Ayrshire and Arran, in particular, to the January 2005 version of its Adverse Incident Management Policy which said, at page 11:

"With regards to Critical Incident Review events, the Director who has commissioned the independent review will (the Commissioner's emphasis) forward the report and associated action plan to the appropriate committee as outlined in the Risk Management Clinical Governance structure."

37.She also referred NHS Ayrshire and Arran to the fact that the November 2006 version of NHS Ayrshire and Arran's Adverse Incident Management Policy said, at page 20:

"A copy of the action plan will (the Commissioner's emphasis) be passed to the General Manager of the relevant area for co-ordination and implementation.

The Head of Clinical Governance will ensure the master copy of the report and supporting documentation (the Commissioner's emphasis) is retained within the Clinical Governance Office ?"

38.She therefore asked NHS Ayrshire and Arran to carry out further specific searches, including of the records of the Clinical Governance Office, and asked the authority to provide her with a copy of its retention policy as it existed between January 2005 and 3 February 2011 as it applies to CIR action plans.(This was not supplied.)

39.In response, NHS Ayrshire and Arran queried why it was being asked to revisit this issue, given that it considered that it had been dealt with by the Commissioner in an earlier case involving Mr Wilson.NHS Ayrshire and Arran questioned why it was being required to "resubmit this information" when it considered it had already carried out a full search.

40.The investigating officer replied on 14 June 2011, explaining that Mr Wilson had withdrawn his earlier application to the Commissioner and that the Commissioner had therefore not been required to reach a decision as to whether the CIR action plans were in fact held by NHS Ayrshire and Arran.She therefore confirmed that she required the searches to be carried out.

41.On 4 July 2011, NHS Ayrshire and Arran wrote to the Commissioner to advise that, following a period of unplanned leave, a staff member had recently returned to work, and that 56 CIR action plans had been located within the staff member's 'H' drive.NHS Ayrshire and Arran's explanation to the Commissioner was that the failure to find this information was because its IT Department had not been asked to search this part of its servers, as it considered that 'H' drives hold information personal to the staff member, such as expense claims, and that the drives may have held information which it would not have been appropriate for others to see.NHS Ayrshire and Arran said that it had not anticipated that the plans would have been held in this drive and that steps had subsequently been taken to change the system to shared drives with restricted access on a "need to know" basis.

42.NHS Ayrshire and Arran commented that, prior to April 2010, the system for managing, co-ordinating and recording information relating to CIRs was not as robust as its present system.It admitted that the identification of the action plans, after a failure to do so from a previous significant search, was further evidence of a system failure that has now been addressed.

43.NHS Ayrshire and Arran advised the investigating officer that the CIR action plans which had been located had now been summarised and published, and that it therefore wished to apply the exemption in section 27(1) to the action plans (this is addressed in more detail below).It later became clear that what had been published were "learning summaries" rather than the action plans, or anonymised action plans.

44.While the discovery of the CIR action plans went some way in clarifying what information NHS Ayrshire and Arran did hold, a review of the action plans which had been published and of the unredacted versions of the CIRs/SAERs provided to the Commissioner by NHS Ayrshire and Arran (of which there were around 50) raised additional issues.For example, a number of the CIR/SAERs reports did not appear to have any action plans.In a number of cases, there were discrepancies between the number of recommendations in the report and the number of recommendations which had been published.This led to the investigating officer putting additional questions to NHS Ayrshire and Arran as to the information it held.

Location of additional information

45.NHS Ayrshire and Arran replied on 12 October 2011.It noted that it had provided the Commissioner with copies of the CIRs and SAERs on 1 July 2011, but that, on 12 July 2011, a member of staff had been assigned to re-file and review all of the SAER reports which had been located to a single location.A number of the SAER reports NHS Ayrshire and Arran held had not originally been provided to the Commissioner, but would be.(The Commissioner received a further 40 documents on 19 October 2011, including copies of the newly created online summaries of the CIR action plans, updated action plans and copies of CIRs which had not already been provided to the Commissioner, some of which were outwith the scope of the request.)

Provision of redacted action plans to Mr Wilson

46.NHS Ayrshire and Arran also provided the investigating officer with other documents which had not previously been provided to the Commissioner and advised the Commissioner that, given that it had now located the CIR action plans, it would now provide Mr Wilson with all historical CIR action plans and SAER action plans, subject to the redaction of any information which would identify patients, staff and other third parties.(This appears to have been in response to the fact that the Commissioner's investigating officer had by now explained that the exemption in section 27(1) could not be applied retrospectively and that the Board had recognised that what had been published were learning summaries and not the actual action plans.)

47.The investigating officer contacted NHS Ayrshire and Arran on 26 October 2011, asking whether it had now disclosed the action plans to Mr Wilson.NHS Ayrshire and Arran replied shortly thereafter, advising that the plans had indeed been disclosed to Mr Wilson, but that, instead of having been redacted, the plans had been amended or re-written instead, to include information which was not held by NHS Ayrshire and Arran as at the date of Mr Wilson's request.NHS Ayrshire and Arran recognised that this should not have happened, but confirmed that it would provide the investigating officer with an electronic copy of the documents it had provided to Mr Wilson.

48.NHS Ayrshire and Arran subsequently did this and the investigating officer was able to examine the metadata for each document to find out the document's "created on" date in order to determine whether the document was within the scope of Mr Wilson's request.The investigating officer was concerned to note that, in some cases, the creation dates of the plans included dates in late February 2011.These dates are significant, given that they suggested that NHS Ayrshire and Arran had been creating CIR action plans between the date of Mr Wilson's information request (10 February 2011) and NHS Ayrshire and Arran responding to the request (2 March 2011), to advise Mr Wilson that it did not hold any CIR action plans.

The meeting on 15 December 2011

49.The Commissioner subsequently decided that, given the fundamental failings which his investigation had so far uncovered, it would be appropriate for his Head of Enforcement and the investigating officer to meet with NHS Ayrshire and Arran.A letter was sent to the then Chief Executive of NHS Ayrshire and Arran, indicating that the Commissioner had expressed significant concerns about NHS Ayrshire and Arran's handling of Mr Wilson's information request and, in particular, with the explanations provided about its inability to locate CIR action plans prior to June 2011.

50.The Chief Executive was advised that the Commissioner's staff wished to meet with one or more of NHS Ayrshire and Arran's senior staff involved in the CIR/SAER process, who could explain its practice in conducting the reviews and in undertaking follow up actions in line with the associated action plans, in order to allow the Commissioner's staff to better understand NHS Ayrshire and Arran's practice with respect to the creation, distribution, retention and management of the reports and action plans.A request was also made to meet with staff involved with the handling of Mr Wilson's request, who could explain the searches undertaken to attempt to locate the CIR action plans.Supervised access was also sought to NHS Ayrshire and Arran's IT systems.

51.While waiting for a response about the proposed meeting, further correspondence took place between the investigating officer and NHS Ayrshire and Arran in an attempt to ensure that the Commissioner had been provided with all of the information held by NHS Ayrshire and Arran.This led to yet further documents being provided to the investigating officer.

52.The meeting between the Commissioner's staff and NHS Ayrshire and Arran subsequently took place on 15 December 2011.The meeting discussed NHS Ayrshire and Arran's processes, but, given that they had radically changed with the introduction of SAERs, the meeting focussed on the searches which had been carried out in relation to the CIRs action plans.

53.Although the Commissioner had previously been advised that the CIR action plans had been located on a person's "H" drive, it now appeared that they may have been found on a shared drive.According to NHS Ayrshire and Arran, several years ago, when restructuring took place, there were two drives relating to a Directorate that was to be disbanded and it was agreed that the action plans on these drives were to be stored on a new drive.The staff working with the two drives were instructed to transfer the information over to the new drive.One version of events is that the documents had not been transferred over to the new drive and so when the person carrying out the searches came to look for the action plans in that drive, the documents were not there.The other version of events is that the documents had been transferred over, but the person carrying out the searches had not carried out a sufficiently detailed search to locate the action plans.NHS Ayrshire and Arran advised that it has been trying to investigate the matter in order to come to a view as to which "version" is correct, but, given the passage of time and the change of personnel, it felt it may never be able to bottom out this question.

54.Supervised access to NHS Ayrshire and Arran's IT system was given to the Commissioner's staff in order to allow them to check the creation dates of certain action plans.The investigating officer had noted that eight of the CIR action plans disclosed to Mr Wilson appeared to have been created in the second half of February 2011, suggesting that they fell outwith the scope of his request, although the information in the action plans was historical and, in line with NHS Ayrshire and Arran's policies, should have been created long before February 2011.This raised concerns that NHS Ayrshire and Arran had, while advising Mr Wilson that it did not hold any information falling within the scope of the request, been creating action plans in the days following the receipt of his request.

55.The documents were opened on the system and the metadata appeared to corroborate that the documents had been created after the date of receipt of Mr Wilson's request.The employees of NHS Ayrshire and Arran present at that part of the meeting said that they did not know anything about this and that they had not been aware of any work having been carried out on the CIR action plans in February 2011.They were therefore asked to carry out some further investigation in order to determine whether any work had in fact been carried out to the action plans around this date.

56.No further explanation was forthcoming, although, subsequent to the meeting, NHS Ayrshire and Arran advised that it had spoken to its IT Department which had told it that creation dates do not necessarily reflect when a file was actually created, but instead indicate when a file came to exist on a particular storage medium.While creation dates can indicate when a user or computer process created a file, they can also reflect the date and time that a file was copied onto a storage medium; as such, according to the IT Department, it is not uncommon for files that have been copied or moved to have modification dates older than their creation dates.The IT Department had therefore advised that it was not possible to determine when the files were actually created.The Commissioner is not satisfied that this is sufficient explanation and remains concerned that the February 2011 dates may suggest that, at the least, activity relating to the plans had taken placeat a time when NHS Ayrshire and Arran had advised Mr Wilson that no such plans were held.

57.At the meeting, checks were also made of a number of action plans which were recorded as having been created in October 2011, again to determine whether they fell within the scope of Mr Wilson's request; the sample which were checked indicated that the plans had been amended prior to the date of receipt of Mr Wilson's request and that they therefore fell within the scope of his request.

Conclusions on the handling of the request

58.As noted above, much of this investigation has been spent trying to pin down what information NHS Ayrshire and Arran held at the date of Mr Wilson's request.As will be clear from the narrative, this has not been an easy process.

59.The most concerning aspect for the Commissioner is the fact that NHS Ayrshire and Arran advised Mr Wilson (and, indeed, the Commissioner) on more than one occasion that it did not hold any CIR action plans, other than the one plan it had already provided to Mr Wilson.It was only in June, some months after Mr Wilson's request, that NHS Ayrshire and Arran located, apparently by accident, the 56 CIR action plans which it held on its systems.

60.As noted elsewhere, NHS Ayrshire and Arran had advised Mr Wilson, in terms of section 17(1) of FOISA, that it did not hold any CIR action plans (other than the one which he had previously been provided with).That clearly proved to be untrue and, as such, the Commissioner must find that NHS Ayrshire and Arran breached Part 1 of FOISA in advising Mr Wilson that it did not hold the CIR action plans.

61.However, the problems in this case have gone wider than the CIR action plans.Some of the documents provided to the Commissioner were prepared after the date of Mr Wilson's request (and therefore fall outwith the scope of his request ? although NHS Ayrshire and Arran has provided some of these documents, albeit in an amended format, to Mr Wilson).There is also some confusion over the creation dates of certain documents, and whether they were created after the request (as the metadata appears to suggest).

62.However, what the Commissioner is required to do, is to come a view, on the balance of probabilities, as to what information NHS Ayrshire and Arran actually held at the time of Mr Wilson's request.It is clear that not all of the Commissioner's questions have received satisfactory answers.However, given that Mr Wilson made his information request in February 2011, he does not consider it appropriate to extend this investigation further.

63.The Commissioner has been able to come to a view as to which of the CIRs/SAERs fall within the scope of Mr Wilson's request; the Schedule of Documents at the end of this decision lists the relevant reports.

64.What has been more difficult has been to determine which of the multiple CIR action plans (in most cases more than one action plan exists for each CIR) were held by NHS Ayrshire and Arran at the date of Mr Wilson's request.NHS Ayrshire and Arran has been unable to satisfy the Commissioner that the eight CIRs action plans which have creation dates of (late) February 2011 were not created after the date of Mr Wilson's request and he has therefore concluded, on balance of probabilities, that they fall outwith the scope of Mr Wilson's request.However, he notes that previous versions of the those action plans will fall within the scope of Mr Wilson's request.

65.The Commissioner wishes to strongly express his concern that, given the importance of these documents in ensuring that lessons are learned from serious incidents, and action taken to prevent future such events, and given NHS Ayrshire and Arran's stated policy on the action plans, that these action plans were only located by chance, and could not, according to NHS Ayrshire and Arran, be located following detailed searches of its records management system.(The Commissioner has not been able to come to any conclusion as to whether the action plans were found on a personal "H" drive or in another shared file.However, all information held by Scottish public authorities is subject to FOISA and, regardless of which type of drive the plans were located on, the search should have been sufficient to locate the plans.)The action plans are designed to ensure that steps are taken to ensure that lessons are learned and changes to procedures are made, yet they were, according to NHS Ayrshire and Arran, allowed to lie "dormant" and were not actioned. That the plans could not be found for this reason should be matter of concern not just to the Commissioner, but also to those concerned with the governance of the health authority.

66.The problems raised during the investigation (such as failure to locate information and the fact that there is evidence to show that there was activity relating to the CIR action plans at the time when Mr Wilson was told that no such action plans were in existence) were sufficiently serious to lead the Commissioner to question whether the records were, in fact, concealed with the intention of preventing the information being disclosed by NHS Ayrshire and Arran, a criminal offence under section 65 of FOISA.However, after the detailed investigation, the Commissioner believes that this was a case of exceptionally poor records management and systemic failure by NHS Ayrshire and Arran and that there was no intention to prevent the action plans (at least in a redacted form) from being disclosed.

67.As a Scottish public authority for the purposes of FOISA, NHS Ayrshire and Arran is subject to the "Scottish Ministers' Code of Practice on Records Management by Scottish Public Authorities under the Freedom of Information (Scotland) Act 2002".^[2]The current version of the Code states, at page 9, that authorities should ensure they keep the records they will need for business, regulatory, legal and accountability purposes; that authorities should keep their records in systems that enable records to be stored and retrieved as necessary and that authorities should know what records they hold and where they are, and should ensure that they remain usable for as long as they are required.(It should be noted that a failure to comply with this Code may lead to the Commissioner issuing a practice recommendation under section 44 of FOISA.)

68.The Commissioner notes that he is not the only one to have concerns about NHS Ayrshire and Arran's records management relating to CIRs/SAERs.NHS Ayrshire and Arran commissioned PwC to carry out a review of a complaint by Mr Wilson about the 2006 CIR (referred to at the beginning of this decision) and the reporting and following up of such incidents in accordance with NHS Ayrshire and Arran's policy and procedures.The review was published in November 2011 and makes it clear that there have, in the past, been significant control deficiencies in the manner in which significant events were reported, investigated and lessons learned, particularly in relation to the retention of documentation, timeliness of reporting, staff engagement, reporting and the sharing of lessons learned.The review also noted that, since 2009, there have been substantial improvements in the process, although there remain certain improvements which could be made, for example in relation to the retention of documentation, reporting and the sharing of lessons learned.

69.The review noted that, except for reviews called in 2010/11, it was difficult to locate all relevant information in a central location, with documents held in databases, paper format in folders, in email history, and shared drives.The review also found that, in certain circumstances, information simply could not be located.The review noted that management are aware of this issue and have developed a database where all documentation can be uploaded and stored and accessed when necessary, along with all versions of the report with version control mechanisms in place.

70.The PwC report provides evidence which is consistent with the Commissioner's experience in this investigation which points to a conclusion of systemic failure.

Section 25 ? Information otherwise accessible

71.In terms of section 25(1) of FOISA, information which an applicant can reasonably obtain other than by requesting it under section 1(1) is exempt information.This is an absolute exemption in that it is not subject to the public interest test set out in section 2(1)(b) of FOISA.

72.NHS Ayrshire and Arran applied this exemption to the information which it had previously released to Mr Wilson.

73.Given that Mr Wilson already has a copy of this information, the Commissioner is satisfied that it is information which Mr Wilson can reasonably obtain other than by requesting it under section 1(1) of FOISA and that it is exempt from disclosure.

Section 27(1) ? Information intended for future publication

74.Section 27(1) exempts information from disclosure if, at the date the information request is made, the public authority (or any other person) intends to publish the information at a date not later than 12 weeks after the date on which the request is made.For the exemption to apply, it must also be reasonable, in all the circumstances, that the information be withheld from disclosure until the planned date of publication.The exemption is a qualified exemption in that it is subject to the public interest test set out in section 2(1)(b) of FOISA.

75.As noted above, NHS Ayrshire and Arran withheld the SAER action plans from Mr Wilson on the basis that they were exempt from disclosure under section 27(1) of FOISA, although it was clear that the action plans to be published were different from the action plans that it held, given that the published version would, according to NHS Ayrshire and Arran, have "any identifiable information" removed.

76.In a letter to NHS Ayrshire and Arran dated 6 April 2011, at which point the SAER action plans had still not been published, the investigating officer asked NHS Ayrshire and Arran for evidence as to NHS Ayrshire and Arran's intention to publish the plans.

77.In its response dated 19 May 2011, NHS Ayrshire and Arran advised the investigating officer that the action plans had now been published on its website^[3].It noted that it had envisaged that the plans would have been published by mid-April and by 3 May 2011 at the latest. However, there was a slight delay in publication due to a misunderstanding over the deadline date for publication under the exemption in section 27(1).NHS Ayrshire and Arran noted that this is an area where it could improve when dealing with future requests involving the exemption.

78.NHS Ayrshire and Arran also provided the Commissioner with an internal email from the Assistant Director (Healthcare Quality and Governance) dated 23 February 2011, which made reference to previous discussions and which made it clear that work would be carried out to publish anonymised versions of the plans within 12 weeks.

79.For the exemption in section 27(1) to apply, the Commissioner must be satisfied that, as at the date the request was made, NHS Ayrshire and Arran intended to published the SAER action plans.In response to the question, "Was the information requested held with the intention of publication at the time the request was made?", NHS Ayrshire and Arran stated that it was.However, the evidence provided to the investigating officer by NHS Ayrshire and Arran suggests instead that it was only as a result of Mr Wilson's request being made that NHS Ayrshire and Arran decided to publish the anonymised action plans.

80.Mr Wilson made his request on 10 February 2011.The email from the Assistant Director, sent almost three weeks later, states that work would be carried out to publish anonymised versions of the plans within 12 weeks.It is unclear whether the "12 weeks" referred to was 12 weeks after the receipt of the request or 12 weeks from the date of the email.However, the fact that the plans were not published until more than 12 weeks after the date of Mr Wilson's request due, apparently, to a misunderstanding over how the 12 weeks in section 27(1) should be calculated, has led the Commissioner to come to the conclusion that, at the date the request was made, the anonymised SAER action plans were not in fact held with a view to them being published within 12 weeks, but that the publication came about as a result of Mr Wilson's request.

81.This is strengthened by the fact that, on discovering the CIR action plans in June 2011, NHS Ayrshire and Arran applied the exemption to the action plans, again apparently on the basis that a version of the plans had just been published within 12 weeks.

82.The Commissioner would also note that what NHS Ayrshire and Arran did publish were anonymised (and heavily summarised) versions of the SAER and CIR action plans and not the action plans themselves.While the Commissioner understands why NHS Ayrshire and Arran wished to carry out a certain amount of anonymisation (see the discussion on the section 38(1)(b) exemption below), the versions of the plans which have been published are so different from the actual plans that he cannot conclude that, even if NHS Ayrshire and Arran had intended to publish versions of the plans as at the date of Mr Wilson's request, it did not intend to publish the actual SAER and CIRaction plans within 12 weeks.

83.As such, the Commissioner has concluded that the SAER and CIR action plans are not exempt from disclosure under section 27(1) of FOISA.Having concluded that the exemption in section 27(1) does not apply, he is not required to go on to consider the public interest test in section 2(1)(b) of FOISA.

Section 38(1)(b) ? Personal data

84.Under section 38(1)(b) of FOISA, as read with section 38(2)(a)(i) or (b), information is exempt from disclosure if the information is personal data and its disclosure would breach one or more of the data protection principles contained in the DPA.This is an absolute exemption in that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

Is the information in the reports and action plans personal data?

85.Personal data is defined in section 1(1) of the DPA as data which relate to a living individual who can be identified (a) from those data or (b) from those data and other information which is in the possession of, or is likely to come into the possession of the data controller (the definition is set out in full in the Appendix; the interpretation of part (b) of the definition is considered in more detail below).

86.NHS Ayrshire and Arran submitted that the CIRs/SAERs and action plans contain personal information about the subject of the report, staff and, in some cases, other patients.Having read the reports, the Commissioner noted that they also contain references to other parties, such as relatives or representatives of the patients and employees of other bodies, where, for example, another body has responsibilities towards the patient.

87.As noted above, "personal data" only relates to living individuals.A number of the patients who are the subjects of the reports have sadly died and, as a result, the exemption in section 38(1)(b) does not apply to their information.However, in recognition of this, NHS Ayrshire and Arran applied the exemption in section 38(1)(d) (a deceased person's health records) and this is considered in more detail below.

88.For information to be personal data, living individuals must also be identifiable.Patients are generally not named in the reports, but instead are for the most part referred to by a code number.As such, the reports have been, to a certain extent, anonymised.However, the Commissioner considers that, given the breadth of detail in the reports about patients (e.g. specific illnesses, dates of treatment, references to stays in hospitals, moves from other parts of the country), that identification of the patients remains possible.In coming to this conclusion, the Commissioner has taken account of recital 26 to the EU Directive on which the DPA is based^[4] (the Directive), which states that, in determining whether a person is identifiable, account should be taken of all the means likely reasonably to be used to identify the individual.

89.Given that patients could be identified from the reports, it follows that patients' relatives or representatives can also be identified.

90.The officials (the Commissioner uses this terms to reflect the fact that some of the employees referred to in the reports are employees of bodies other than NHS Ayrshire and Arran) can generally be split into two groups, i.e. the officials who were involved in the incidents which led to the review and the officials who were given the task of carrying out the review (and of providing administrative support to the review) and of carrying out actions in relation to the action plans which followed on from the review.

91.The position is simple with those officials who have been tasked with carrying out the review and the actions in the action plans.These officials are named in the reports, and their job descriptions are given.These individuals are clearly identifiable.

92.Matters are not so straightforward, however, when it comes to the officials who were involved in the incidents which led to the reviews as they are not generally named in the reviews, but are instead referred to, for example, as "Nurse A" or "the GP".However, in recognition of the requirements of recital 26 to the Directive, and given the breadth of detail contained in the reports (e.g. the exact timing of various incidents and which ward the incident took place in), the Commissioner is satisfied that the officials referred to in the reports are identifiable.

93.In all of these cases, the Commissioner is satisfied that the information relates to the individuals and that the information is, therefore, the individuals' personal data.The information is clearly about the individuals concerned, is linked to them and has some biographical significance for them.

Would disclosure breach the first data protection principle?

94.Personal data is not exempt from disclosure under FOISA simply because it is personal data.It will, however, be exempt from disclosure, in line with section 38(1)(b) of FOISA (as read with section 38(2)(a)(i) or (b)) if disclosure to a member of the public, otherwise than under FOISA, would contravene one or more of the data protection principles.

95.NHS Ayrshire and Arran has argued that, except in the case of the name of the person charged with leading the investigation (this is addressed in more detail below), disclosure would breach the first data protection principle.This principle states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 (to the DPA) is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 (also to the DPA) is met.

96.In determining the application of the data protection principles, NHS Ayrshire and Arran reminded the Commissioner of the comment made by Lord Hope in the case of Common Services Agency v Scottish Information Commissioner^[5] (the CSA case) at paragraph 7:

"In my opinion there is no presumption in favour of the release of personal data under the general obligation that FOISA lays down.The references which [FOISA] makes to provisions of [the DPA] must be understood in the light of the legislative purpose of [the DPA], which was to implement Council Directive 95/46/EC.The guiding principle is the protection of the fundamental rights and freedoms of persons, and in particular their right to privacy with respect to the processing of personal data ?"

97.The Commissioner has taken this dictum into account in considering the application of the data protection principles and, indeed, in considering the exemption in section 38(1)(b) as a whole.

98.The definition of sensitive personal data is set out in section 2 of the DPA.In terms of section 2(e), personal data consisting of information as to a data subject's physical or mental health or condition is sensitive personal data.It is therefore clear that information relating to the patients, given that it focuses on their medical condition, is sensitive personal data.There are also instances of references to the health of other individuals, such as members of staff, and this is also sensitive personal data for the purposes of the DPA.

99.Similarly, the reports contain a small amount of information relating to criminal offences, and this information is also sensitive personal data in terms of sections 2(g) and (h) of the DPA (see the Appendix for the full definitions).

Sensitive personal data

100.As noted above, for sensitive personal data to be disclosed under FOISA, at least one of the conditions in both Schedule 2 and Schedule 3 to the DPA must be capable of being fulfilled.Given that the conditions in Schedule 3 are, intentionally, much more stringent than those in Schedule 2, the Commissioner considers it appropriate to look at these first.

101.NHS Ayrshire and Arran, noting the restrictive nature of the conditions in Schedule 3, considered that only the first condition may be relevant in this case.The first condition in Schedule 3 allows sensitive personal data to be processed where the data subject has given explicit consent to the processing of the personal data.It should be noted here that "processing", in response to an information request made under FOISA, means disclosing the information into the public domain.NHS Ayrshire and Arran commented that no explicit consent had been given, and argued that, in the circumstances, it would not be appropriate for such consent to be sought.NHS Ayrshire and Arran's comments focussed on the consent of patients, but the Commissioner believes that its arguments are also relevant for other individuals referred to the in reports.In any event, it is clear no individuals have given explicit consent for their sensitive personal data to be disclosed in response to Mr Wilson's request.

102.The Commissioner is satisfied, given the context and number of the reports, that it would not have been appropriate for such consent to have been sought.Having considered the remaining conditions in Schedule 3 (including the orders made under condition 9 of the Schedule), the Commissioner has concluded that there are no conditions in the Schedule which would permit the sensitive personal data to be disclosed.As such, he finds that disclosure of the sensitive personal data would breach the first data protection principle and that the sensitive personal data is accordingly exempt from disclosure under section 38(1)(b) of FOISA.

103.This does not mean, however, that the information cannot be disclosed in an anonymised form.This is addressed in more detail at paragraphs 139 to 153 below.

Non-sensitive personal data

104.As noted above, NHS Ayrshire and Arran has argued that disclosing the reports and action plans, except for the name of the person charged with leading the investigation, would breach the first data protection principle.(NHS Ayrshire and Arran commented that, as senior officials tasked with ensuring reviews are carried out and action plans are followed through to improve the quality and delivery of its services, it is necessary for members of the public to know the names of the investigating leads.Disclosure would also, in the view of NHS Ayrshire and Arran, allow any concern or comment to be directed to the most appropriate person.)

105.Given that the remaining personal data under consideration is not sensitive personal data, it is only a condition in Schedule 2 which must be met before the data can be disclosed.

106.NHS Ayrshire and Arran considered that there are two conditions in Schedule 2 which may be relevant, the first being condition 1, which allows personal data to be processed where the data subject has consented to the processing.As with condition 1 of Schedule 3, the Commissioner is satisfied, given the context and number of the reports, that it would not have been appropriate for such consent to have been sought.He is also satisfied that consent has not been given.As such, he finds that condition 1 of Schedule 2 cannot be met.

107.The next condition which NHS Ayrshire and Arran considered might be relevant is condition 6 of Schedule 2.Condition 6 allows personal data to be processed if the processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

108.There are, therefore, a number of different tests which must be satisfied before condition 6 can be met.These are:

Is there a legitimate interest in obtaining the personal data?

If there is, is the disclosure necessary to achieve these legitimate aims?In other words, is the disclosure proportionate as a means and fairly balanced as to ends, or could these legitimate aims be achieved by means which interfere less with the privacy of the data subjects (i.e. the individuals to whom the data relate)?

Even if the processing is necessary to achieve these legitimate aims, would the disclosure nonetheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects?

109.As noted in paragraph 96, there is no presumption in favour of the release of personal data under the general obligations laid down by FOISA.Accordingly, the legitimate interests must outweigh the rights and freedoms or legitimate interests of the data subjects before condition 6 will permit the personal data to be disclosed.If the two are evenly balanced, the Commissioner must find that NHS Ayrshire and Arran was correct to refuse to disclose the personal data to Mr Wilson.

110.Many of NHS Ayrshire and Arran's arguments in relation to these three tests focussed, as is to be expected, on the sensitive personal data of the patients.As the Commissioner has already found this information to be exempt from disclosure under section 38(1)(b) (see paragraphs 100 to 103 above), he will not repeat the submissions made by NHS Ayrshire and Arran in relation to the sensitive personal data, but will refer instead to the arguments made in relation to personal data of the other data subjects.

Is there a legitimate interest?

111.NHS Ayrshire and Arran noted that, while Mr Wilson, as a charge nurse, does have a legitimate interest in ensuring the safety of staff, this interest is not achieved by gaining access to personal information about other members of staff.NHS Ayrshire and Arran also argued that Mr Wilson does not have a legitimate right to information which is not relevant to the patient's immediate care (which would include, for example, information about patients' relatives or representatives).

112.NHS Ayrshire and Arran stated that Mr Wilson may claim that he has a legitimate interest in scrutinising a public authority's internal processes, ensuring that incidents are appropriately investigated and lessons learned are passed on.However, in the view of NHS Ayrshire and Arran, Mr Wilson does not have a legitimate interest in accessing information about other professionals.In its view, any interest in scrutiny would be served by knowing the name of the person leading the investigation, the recommendations and actions.

113.Mr Wilson, for his part, argued that highlighting poor systems and processes would ensure that those poor systems and processes would not be repeated, leading to improved care.He also commented that the people of Ayrshire have a right to know of any failing or weaknesses within their tax-payer funded health care system, and that making the public aware of any serious failings can only lead to improved patient care.

114.In determining whether Mr Wilson has a legitimate interest in the remaining information, the Commissioner believes that it is useful to break the information down into three different types: information about patients' relatives or representatives; information about officials who were directly involved in the incidents which led to the CIR/SAER and information about the officials who were given the task of the carrying out the review and of ensuring that action plans were complied with.

115.The Commissioner considers that there is strong legitimate interest in understanding the circumstances surrounding significant adverse events, in which the safety or care of patients might have been compromised.The reviews of such events might highlight strengths and weaknesses in systems, training, or infrastructure, and ensure that people can learn from what has gone wrong.It is worth noting that NHS Ayrshire and Arran's current procedures covers "adverse events", defined as an event that causes, or has the potential to cause, unwanted effects involving the safety of patients, users, staff or other persons or that results in loss or harm.The policy also covers "near misses", defined as an act of omission or commission which may have had the potential for harm, but through luck or robust physiology, had no ill effect on the patient or staff member.These are, therefore, serious and important matters.

116.However, while there may in general be a legitimate interest in highlighting the strengths and weaknesses of systems, etc., the Commissioner does not consider that this interest extends to obtaining the personal data of patients' relatives or representatives.As such, the Commissioner finds information relating to patients' relatives or representatives to be exempt from disclosure under section 38(1)(b) of FOISA.

117.As noted above, the officials whose personal data is contained within the reports can be split into two different types: information about officials who were directly involved in the incidents which led to the CIR/SAER and information about the officials who were given the task of the carrying out the review and of ensuring that action plans were complied with.

118.The Commissioner considers that Mr Wilson's legitimate interest extends to information about both sets of professionals, given the legitimate interest in highlighting the strengths and weaknesses of systems, training and infrastructure in order that lessons can be learned from what has (or could have) gone wrong.Mr Wilson also has a very specific legitimate interest in this information, given that when he was involved in a significant incident, which led to a CIR, the CIR contained incorrect information regarding a member of staff.As a result of Mr Wilson's intervention, an addendum was added to the CIR.

Is the disclosure of the information necessary for these legitimate interests?

119.Having established that Mr Wilson does have a legitimate interest, the Commissioner must now go on to consider whether the disclosure of the personal data is necessary for the purposes of the legitimate interest.He must consider whether disclosure is proportionate as a means and fairly balanced as to ends, or whether these legitimate aims could be achieved by alternative means which would interfere less with the privacy of the individuals in question.

120.NHS Ayrshire and Arran has argued that the disclosure of the information is not necessary to achieve any legitimate aims.It commented that it is recognised that to learn from a CIR (or SAER), the staff involved and other relevant staff members should have access to the recommendations that have arisen out of the report to ensure such failings or incidents do not reoccur.Therefore, following a CIR (or SAER), any learning points are identified in collaboration with local managers and lead clinicians.This information is fed back to staff and actions and learning points are now publicised on NHS Ayrshire and Arran's website, in line with NHS Ayrshire and Arran's commitment to more open and transparent reporting of recommended actions arising from adverse events.

121.NHS Ayrshire and Arran also argued that Mr Wilson has no right to information about members of staff's action or inaction in respect of an incident.It commented that Mr Wilson is not acting on behalf of any of these staff members.

122.NHS Ayrshire and Arran recognised that, if Mr Wilson is claiming that there is a legitimate interest in transparency, he may argue the need to access this personal data to get the full picture, in order to properly scrutinise what has happened.However, NHS Ayrshire and Arran considered this to be disproportionate.

123.The Commissioner accepts that it is not proportionate for Mr Wilson to have access to the names, etc. of the officials who were involved in the adverse events; he agrees with NHS Ayrshire and Arran that the legitimate interest in transparency will be equally served by the information being fed back to staff and, more recently, as a result of actions and learning points now being publicised on NHS Ayrshire and Arran's website.The Commissioner recognises the more specific legitimate interest in ensuring that the reports are accurate, but also considers that such disclosure would not be proportionate, given that it would lead to the identity of a number of staff in circumstances where they would certainly not expect to be named.

124.The fact that a member of staff was involved in an adverse event does not mean that he/she was responsible for the event or that his/her conduct was improper.There will be situations where that has been the case, but, as recognised in NHS Ayrshire and Arran's current "Adverse Event Policy and Supporting Procedures", where staff action, through consent or neglect, has led to a Health and Safety Offence being committed, the member of staff may be liable for prosecution.Similarly, the employee conduct process will be used where the actions of those involved may be a conscious breach of policy, repeated malpractice or practice of a malicious, negligent or criminal nature.The Commissioner considers that use of these policies is more proportionate in order to achieve this legitimate interest than by disclosing the names of the relevant officials.

125.However, the Commissioner takes a different view in relation to the names of the officials who were given the role of carrying out a CIR/SAER and with the responsibility of carrying out actions under the action plans (with the exception of the names of administrative staff who carried out administrative functions in relation to meetings, etc.; the Commissioner considers that it would not be proportionate to identify these members of staff).NHS Ayrshire and Arran's Adverse Event Policy makes it clear that it is members of staff who are charged with these roles and the Commissioner considers that it would not be disproportionate for these names to be disclosed.(As noted above, NHS Ayrshire and Arran have already agreed that the name of the lead investigator should be disclosed.)

Would disclosure cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects?

126.The Commissioner must now consider whether disclosure would nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects, i.e. the officials charged with carrying out the review and with ensuring that action plans are complied with.As noted above, this involves a balancing exercise between the legitimate interests of Mr Wilson and the data subjects.Only if the legitimate interests of Mr Wilson outweigh those of the data subjects, can the information be disclosed without breaching the first data protection principle.

127.The Commissioner's guidance on the exemption in section 38(1)(b)^[6] identifies a number of factors which should be taken into account in carrying out this balancing exercise.These include:

whether the information relates to the individuals' public life (i.e. their work as a public official or employee)

the potential harm or distress that may be caused by the disclosure

the reasonable expectations of the individual as to whether their information would be disclosed

128.NHS Ayrshire and Arran also referred the Commissioner to guidance published by the (UK) Information Commissioner (who is responsible for enforcing the DPA throughout the UK) and to factors included in his guidance, which are similar to those listed above, but which also say that this it is relevant to take into account whether the disclosure is incompatible with the purposes for which it was obtained and the legitimate interest of the public in general in knowing who was involved in carrying out any review.

129.In considering these factors, NHS Ayrshire and Arran took the view that staff involved in reviewing the incidents in question would not expect their personal data to be disclosed to the public at large, given that they are acting in their capacity as employees.It is concerned that patients, staff and patients' representatives dissatisfied with the outcome of a review may go on to harass these members of staff or try to extract more information from them about the events.

130.The Commissioner disagrees with NHS Ayrshire and Arran in this regard.The professionals tasked with carrying out such reviews are, generally, senior members of staff.This is clear from section 4 ("Accountability, Responsibility and Compliance") of NHS Ayrshire and Arran's current procedures, which lists the various posts which are responsible for SAERs and the action plans.The Commissioner believes that it would be unreasonable for senior members of staff not to expect that the fact they have been asked to be involved in a team carrying out a review or have been tasked with carrying out an action under an action plan would be disclosed.

131.The fact of their involvement also very much relates to their public life and not to their private life.

132.The Commissioner notes NHS Ayrshire and Arran's concerns that the members of staff involved may be harassed by patients, staff and patients' representatives dissatisfied with the outcome of a review.However, although a large number of reviews have been carried out, many of which have in the past been shared with patients, family members and members of staff, NHS Ayrshire and Arran has not provided the Commissioner with any evidence that such harassment has taken place.

133.As such, subject to the paragraph below, the Commissioner considers that NHS Ayrshire and Arran has overstated its arguments in relation to the interests of the data subjects and finds that disclosure would not cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects.

134.The Commissioner notes, however, that in several cases, officials have been appointed to an investigation team or are charged with ensuring that certain actions are carried out despite the fact that they are not senior officials.In these cases, given that the Commissioner is satisfied that the individuals would not reasonably expect that their information would be disclosed, the Commissioner finds that disclosure would cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects.As such, no condition in Schedule 2 applies to this information, the information is exempt from disclosure under section 38(1)(b) of FOISA.

Would disclosure be fair and lawful?

135.Having reached these conclusions, the Commissioner must now go on to consider whether disclosure of the names of the senior officials would be fair and lawful.

136.The Commissioner considers that disclosure would be fair, for the reasons already outlined in relation to condition 6, above.

137.NHS Ayrshire and Arran has not put forward any arguments as to why the disclosure of this particular information would be unlawful, except in relation to its arguments that disclosing personal data would involve a breach of the DPA, which would in itself be unlawful.

138.Having found disclosure of the personal data of the senior officials to be both fair and lawful, and in accordance with condition 6, and no arguments having been advanced as to why disclosure would otherwise be unlawful, the Commissioner concludes that disclosure would not breach the first data protection principle.As such, the information is not exempt from disclosure under section 38(1)(b) of FOISA.

Is it possible to disclose the reports and action plans in an anonymised format?

139.As noted above, the Commissioner has found that the personal data of patients, patients' relatives or representatives, and of certain officials, is exempt from disclosure under section 38(1)(b) of FOISA.

140.In the CSA case referred to above, the House of Lords considered that, even where information is exempt from disclosure, section 1(1) of FOISA obliged public authorities to disclose the information in an anonymised format.As Lord Rodger commented in paragraph 73:

"? even if the information does constitute "personal data", the [CSA] will still be obliged to supply it, if that can be done without contravening the data protection principles in Schedule 1 to the [DPA].And, if supplying the information in one form would contravene those principles, in my opinion, section 1(1) of [FOISA] obliged the [CSA] to consider whether it could comply with its duty by giving the information in another form ?"

141.The Commissioner has therefore considered whether it would be possible for NHS Ayrshire and Arran to disclose the reports and action plans to Mr Wilson in a form which would not contravene the first data protection principle, for example by anonymising the personal data.

142.NHS Ayrshire and Arran recognised that the information in the reports would no longer be exempt under section 38(1)(b) if it could be fully anonymised, but it takes the view that it would not be possible to anonymise the reports.NHS Ayrshire and Arran noted that the reports contained a considerable amount of personal data and commented, correctly, that anonymising a report does not simply mean removing the names of the individuals in the report, given that it might still be possible to identify individuals deductively from other information in the reports.

143.NHS Ayrshire and Arran referred the Commissioner to Decision 028/2010 Mr Ivind Thoresen and Tayside NHS Board, which involved a request for an audit report, and where the Commissioner considered (paragraphs 70 to 75) whether it would be possible for the report to be disclosed in an anonymised form.In that case, the Commissioner came to the conclusion that, given Mr Thoresen's knowledge about the personnel within the relevant department and their duties, it would not be possible to fully anonymise the report as it would have required the redaction of the personal data, leaving no information that would be meaningful in isolation.

144.NHS Ayrshire and Arran argued that the current case is congruous with Decision 028/2010 and that, even if the names of the individuals are removed in the reports, the individuals to whom the data relates would be readily identifiable by NHS Ayrshire and Arran and potentially others, and a considerable amount of personal data would remain.NHS Ayrshire and Arran also commented that, as a staff member, Mr Wilson has access to information which would potentially allow him to identify more readily the subject of the reports and the staff members.

145.While the Commissioner recognises that Mr Wilson is an employee of NHS Ayrshire and Arran, Mr Wilson is not in the same position as Mr Thoresen was in Decision 028/2010.Mr Thoresen was a member of the team which was the subject of the audit report.The report focussed on the service provision and capability of staff within the Audiology Service, and made recommendations as to areas of improvement within the Service.Given that Mr Thoresen worked so closely with other members of staff, it would not have been possible to redact the report.

146.The Commissioner notes that, according to its website, more than 5,800 people work in NHS Ayrshire and Arran's hospitals^[7].There are a wide range of CIRs/SAERs and action plans covering a number of different hospitals (according to its website, NHS Ayrshire and Arran has 10 hospitals) and covering a wide range of disciplines (Mr Wilson works in one specialist clinical area) over a six year period.NHS Ayrshire and Arran covers a large geographical area, parts of which are densely populated.It is not necessary for patients to be resident in the area to be admitted to hospital.Anonymising the reports would involve removing dates of specific incidents, background information about patient's health, taking out references to the sex of patients and members of staff, etc.In the light of this, the Commissioner believes that, despite Mr Wilson's role as employee, the disclosure of anonymised reports and action plans would not lead to him identifying the subjects of the reports and the staff members involved in the incidents.

147.The Commissioner notes that NHS Ayrshire and Arran believes that, even if the names of the individuals are removed (and the Commissioner, as noted above, recognises that in this case anonymisation involves more than just the redaction of names), the individuals to whom the data relate would be readily identifiable by NHS Ayrshire and Arran.The Commissioner understands this to be a reference to definition (b) of personal data in section 1(1) of the DPA.This argument suggests that, if a data controller holds underlying identifying data, the information which is the subject of the information request will always be personal data regardless of whether disclosure of that information would allow data subjects to be identified.

148.Definition (b) was considered by the High Court of England and Wales in the case of Department of Health v Information Commissioner^[8].That case involved a request for abortion statistics held by the Department of Health (DOH).The DOH had argued that, because it held information which would identify individual patients, the number of abortions which had been carried out were, given definition (b), personal data.However, the High Court, with reference to the House of Lords in the CSA case, disagreed with this approach, so the fact that a data controller holds other identifying information does not automatically mean that information in an anonymised form will be personal data.

149.In this case, having considered the tests in Department of Health v Information Commissioner, the Commissioner has concluded that the fact of NHS Ayrshire and Arran having access to other identifying information does not mean that the anonymised versions of the reports and action plans comprise personal data.What is important is whether, as was made clear by the Court of Session in the case of Craigdale Housing Association and others v Scottish Information Commissioner^[9], disclosure of the information would lead to the identification or whether there is other information in the public domain which, when taken with the information, would reasonably allow for identification.

150.NHS Ayrshire and Arran also commented that to try to redact all the personal data contained in the reports and would render the text meaningless.As such, in the view of NHS Ayrshire and Arran, it was not possible to fully anonymise the reports.It drew the Commissioner's attention to a 2008 decision issued by the (UK) Information Commissioner where he determined that five CIRs held by Merseyside Care NHS Trust could not be anonymised without rendering the reports meaningless^[10].

151.The Commissioner believes that the current case can be differentiated from the (UK) Information Commissioner's decision involving Mersey Care NHS Trust.That case involved five CIRs which followed on from one high profile incident, i.e. a murder in which a patient of the Trust was involved.The Commissioner has clearly not had access to those reports and, consequently, cannot say whether he would have taken the same view as the (UK) Information Commissioner, but given the subject matter of the CIRs and the fact that they all focused on one high profile incident, the Commissioner recognises that there may well have been difficulties anonymising the CIRs.

152.The Commissioner has considered carefully the arguments advanced by NHS Ayrshire and Arran as to whether anonymisation is possible ? and feasible.Having read through each of the reports and action plans, and for the reasons given above, he is satisfied that they can be anonymised in such a way that no identification would take place (either through the anonymised information itself or from the anonymised information together with other information in the public domain) without rendering the reports and action plans meaningless.While he accepts that this will involve the redaction of a certain amount of personal data, the information which will be left will give an insight into the incidents which led to the CIRs/SAERs and NHS Ayrshire and Arran's response to these incidents, and cannot, therefore, be described as meaningless.

153.NHS Ayrshire and Arran has also commented that it would be laborious to try to redact the personal information.However, as part of his investigation, the Commissioner has gone through each of the reports and action plans and has carried out redactions which, in his view, would fully anonymise the information.While the Commissioner recognises that this has involved a certain amount of work on behalf of his Office, the Commissioner does not consider the work to have been so burdensome as to make it impracticable.

Section 38(1)(d) ? Deceased person's health record

154.During the investigation, NHS Ayrshire and Arran submitted that information within the CIR/SAER action plans relating to deceased persons would be exempt under section 38(1)(d) of FOISA.(Although NHS Ayrshire and Arran focused on the action plans when considering this particular exemption, the Commissioner has also considered it appropriate to consider the exemption in the context of the reports.)This is an absolute exemption in that it is not subject to the public interest test set out in section 2(1)(b) of FOISA.

155.Section 38(1)(d) exempts information from disclosure if it constitutes a deceased person's health record.Section 38(5) makes it clear that "health record" has the meaning assigned to it by section 1(1) of the Access to Health Records Act 1990 ("the 1990 Act").The 1990 Act defines "health record" as a record which (a) consists of information relating to the physical or mental health of an individual who can be identified from that information, or from that and other information in the possession of the holder of the record and (b) has been made by or on behalf of a health professional in connection with the care of that individual.

156.A number of the CIRs and SAERs have been prepared following the death of a patient.These reports contain information which has clearly been taken from a deceased person's health records and so, without further redaction, such information would be exempt from disclosure under section 38(1)(d).

157.However, the Commissioner has again taken account of the comment by Lord Rodger in paragraph 73 of the CSA case (addressed in paragraphs 140 above) and considers that even if the information which has been withheld from Mr Wilson does constitute "a deceased person's health record", NHS Ayrshire and Arran was still under an obligation to consider whether it could comply with section 1(1) of FOISA by giving the information in another form.

158.The Commissioner notes that the definition of health record in section 1(1)(a) of the 1990 Act is similar to the definition of "personal data" in section 1(1) of the DPA, in that it includes a reference to identification "from that information" as well as "from that and other information in the possession of the holder of the record."

159.The Commissioner has considered whether this means that, even if the information in the reports, etc. could be anonymised, the fact that NHS Ayrshire and Arran possesses other information from which a deceased individual could be identified, means that the information is exempt from disclosure under section 38(1)(d).However, he has considered that this is not the case and he believes that the interpretation given by the Courts to definition (b) of personal data, addressed in paragraphs 147 to 149 above, is also relevant to the interpretation of health record.

160.The Commissioner considers that, by anonymising the reports and action plans to withhold the names and any other information which could lead to the identification of any patient, it is possible for NHS Ayrshire and Arran to comply with Mr Wilson's request without disclosing information which would be exempt under section 38(1)(d) of FOISA.This would necessarily include the redaction of most information taken directly from a patient's health record.He therefore finds that, while NHS Ayrshire and Arran was entitled to withhold information under section 38(1)(d), NHS Ayrshire and Arran failed to comply with section 1(1) of FOISA in failing to provide the information to Mr Wilson in a form which would not lead to the disclosure of information which was exempt under section 38(1)(d) of FOISA.

Section 36(2) ? Confidentiality

161.NHS Ayrshire and Arran also advised the Commissioner that, if the action plans were not deemed to be part of a deceased person's health record, it would apply the exemption in section 36(2) of FOISA to information relating to deceased persons.(NHS Ayrshire and Arran's arguments in relation to section 36(2) also referred to the CIR/SAER reports, so the Commissioner has presumed that it wishes to apply the exemption to all of the information withheld from Mr Wilson and not just to the action plans.)

162.As noted above, the Commissioner has determined that the exemption in section 38(1)(d) does apply to certain of the information in the reports, etc., but that it is possible for certain information to be disclosed to Mr Wilson in a format which would not lead to the disclosure of information which would otherwise be exempt under section 38(1)(d) of FOISA.

163.In the circumstances, the Commissioner has gone on to consider whether the exemption in section 36(2) applies.It should be noted that, in considering whether the exemption applies, the Commissioner is considering the information withheld from Mr Wilson in a version which has been redacted to withhold information which would identify living individuals (where the Commissioner has concluded that disclosure would breach the first data protection principle) or would identify deceased individuals.

164.Under section 36(2) of FOISA, information is exempt information if it was obtained by a Scottish public authority from another person (including another such authority) and if its disclosure by the authority which obtained it to the public (otherwise than under FOISA) would constitute a breach of confidence actionable by that person or any other person.This exemption is absolute, in that it is not subject to the public interest contained in section 2(1)(b) of FOISA.However, it is generally accepted in common law that an obligation of confidence will not be enforced to restrain the disclosure of information which is justified in the public interest (this is commonly known as "the public interest defence").

165.NHS Ayrshire and Arran commented that the CIR/SAER reports contain a large amount of information from patients, staff and other third parties, as well as containing reports and discussions with various medical practitioners.The Commissioner does not accept that information which has been provided by a medical practitioner employed by NHS Ayrshire and Arran can be considered to have been obtained from another person, as is required by section 36(2).However, it is clear that there is information in the reports and action plans which would have been obtained from a third party.As such, he is happy to accept the first test applies to that information.

166.There are three main requirements, all of which must be met before a claim for breach of confidentiality can be established.These are as follows:

the information must have the necessary quality of confidence;

the information must have been communicated in circumstances imparting an obligation of confidentiality and

there must have been unauthorised use or disclosure of the information to the detriment of the party communicating it.

167.In respect of these tests, NHS Ayrshire and Arran argued, respectively, that the CIRs/SAERs are confidential in their entirety and that only a limited number of staff have access to the reports; all of the information is gathered with the expectation and an obligation to maintain confidentiality and that the disclosure of the documents would potentially cause damage or distress to surviving relatives or to the health professionals who provided the information in confidence.

168.As noted above, the information which the Commissioner is considering under this exemption is the information which has been withheld from Mr Wilson, but in a format anonymised to withhold information which would identify living individuals (where disclosure would breach the data protection principles) or would identify deceased individuals.

169.Given that what is being considered is anonymised information, the Commissioner does not believe that disclosure of the information in this form would cause damage or distress to surviving relatives or, where relevant, to the health professionals who provided the information in confidence.

170.The Commissioner notes that NHS Ayrshire and Arran has published (and intends to continue publishing) redacted versions of the action plans, so it is clear that NHS Ayrshire and Arran has also recognised that it is possible to disclose information in a redacted form without leading to an actionable breach of confidence.

171.Given that the Commissioner does not consider that the exemption applies to the information he has considered in relation to section 36(2), he is not required to go on to consider the public interest defence.

Section 26(a) ? Prohibitions on disclosure

172.NHS Ayrshire and Arran also applied the exemption in section 26(a) to all of the information withheld from Mr Wilson which was not either part of a deceased person's health record (and thereby exempt under section 38(1)(b)) or which was not exempt by virtue of section 36(2) of FOISA.Again, it should be noted that the information which the Commissioner is considering here is the information withheld from Mr Wilson in a version which has been redacted to withhold information which would identify living individuals (where the Commissioner has concluded that disclosure would breach the first data protection principle) or would identify deceased individuals.

173.Under section 26(a) of FOISA, information is exempt information if its disclosure by a Scottish public authority (otherwise than under FOISA) is prohibited by or under an enactment.This is an absolute exemption in that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

174.NHS Ayrshire and Arran argued that section 6(1) of the Human Rights Act 1998 prohibits the information from disclosure as it is unlawful for a public authority to act in a way which is incompatible with the European Convention on Human Rights (the ECHR).NHS Ayrshire and Arran considered that disclosure would be incompatible with Article 8 of the ECHR, under which everyone has the right to respect for private and family life, home and correspondence.

175.NHS Ayrshire and Arran specifically commented that it would be incompatible with Article 8 to make any reports or notes relating to an individual's health or wellbeing generally available to the public (which is, of course, the effect of a disclosure under FOISA).

176.As noted above, the Commissioner has already determined that personal data, the disclosure of which would breach the first data protection principle, or information from which a deceased person could be identified, should not be disclosed by NHS Ayrshire and Arran.

177.The Commissioner has therefore considered the exemption in section 26(a) only in relation the remaining information and, in the absence of such identifying information, he finds that the exemption in section 26(a) does not apply.

Section 30(c) ? Prejudice to effective conduct of public affairs

178.Information is exempt from disclosure under section 30(c) of FOISA if its disclosure would, or would be likely to, "otherwise" prejudice substantially, or be likely to prejudice substantially, the effective conduct of public affairs.The use of the word "otherwise" in the exemption distinguishes the harm required from that envisaged by the exemptions in sections 30(a) and (b).Given the breadth of the exemption in section 30(c), the Commissioner expects any public authority relying on it to show what specific harm would be caused to the conduct of public affairs by the disclosure of the information and how that harm would be expected to follow from disclosure.

179.As noted, disclosure must prejudice substantially or be likely to prejudice substantially the effective conduct of public affairs.There is no definition in FOISA or what is deemed to be substantial prejudice, but the Commissioner considers the harm would require to be of real and demonstrable significance.The authority must be able to satisfy the Commissioner that the harm would, or would be likely to, occur; therefore, the authority needs to establish a real risk or likelihood of harm at some time in the near (certainly the foreseeable) future, not simply that harm is a remote possibility.

180.The exemption is a qualified exemption in that it is subject to the public interest test set out in section 2(1)(b) of FOISA.

181.As noted above, the Commissioner has already determined that personal data, the disclosure of which would breach the data protection principles, or information from which a deceased person could be identified, should not be disclosed by NHS Ayrshire and Arran.He will therefore only consider the exemption in section 30(c) in relation to the remaining information.

182.NHS Ayrshire and Arran argued that to release full details of the investigation reports would have a significantly disruptive effect on the way in which it carries out SAERs in future.NHS Ayrshire and Arran commented that, during an investigation, it requires interviewees to be as candid and open as possible in order to discover if there have been any failings in its systems which may have led to the incident which is under investigation.

183.NHS Ayrshire and Arran noted that this can be a stressful time for all those involved, and if it were the case that the information provided to the investigatory team were to be released in full at a later date, this may stop staff from being as honest in disclosing details of human or administrative failings that occurred; anonymity allows interviewees to have a free and frank discussion about the systems and processes influencing events relating to the incident under review without any fear of reprisals from aggrieved members of staff or patients.

184.NHS Ayrshire and Arran also commented that the information is sensitive; it may relate to medical practices or weaknesses in systems and processes which, if they become common knowledge, may prove to be detrimental to patient care, for example in relation to provisions surrounding medication and its location within the ward.

185.NHS Ayrshire and Arran also commented that, for a SAER to be effective, balanced and objective, it requires the senior management allocated the task of carrying out the review to be able to gain full exposure to what occurred and to be able to report any failings without fear of criticism or reprisal.

186.Lastly, NHS Ayrshire and Arran commented that, at the conclusion of a SAER, there may be criminal proceedings or a fatal accident inquiry and that it would be sub-judice to disclose information prior to such proceedings.However, NHS Ayrshire and Arran did not provide the Commissioner with any evidence that the information which had been withheld from Mr Wilson fell into such a category.

187.Mr Wilson disagreed with the approach being taken by NHS Ayrshire and Arran in relation to this exemption.He found NHS Ayrshire and Arran's argument regarding detriment to patient care to be "baffling", taking the view that the highlighting of poor systems and processes would in fact ensure that the systems and processes would not be repeated and that would lead to care being improved.

188.Mr Wilson also questioned NHS Ayrshire and Arran's assertion that disclosure of such information would lead to those involved in the process disengaging from the process.He quoted from the Nursing and Midwifery Council's Code of Conduct^[11] which states that staff "must cooperate with internal and external investigations" (paragraph 56) and which notes that "Failure to comply with this code may bring your fitness to practise into question and endanger your registration."Mr Wilson commented that other professions would be subject to the same types of professional codes and that staff could not, therefore, refuse to engage with the process.

189.He referred the Commissioner to NHS Ayrshire and Arran's current "Adverse Event Policy and Supporting Procedures", which requires all members of staff to report adverse events within the timescales outlined in the policy.He also referred the Commissioner to the incident which had led to him first asking for a copy of the 2006 CIR.Given that it was incorrect, he considered that it was important for people to be able to view the reports in order to determine that they accurately reflected what had happened.

190.Mr Wilson also referred to the fact that NHS Ayrshire and Arran had asked PwC to carry out an audit of how CIR/SAER events had been managed over the past five years (this report is referred to in more detail above) and questioned NHS Ayrshire and Arran's ability to manage such events.

191.The Commissioner has considered the arguments put forward by both NHS Ayrshire and Arran and Mr Wilson.While he recognises that disclosure of the information in full could, in certain circumstances, have some of the negative effects envisaged by NHS Ayrshire and Arran, given that he is only considering information with identifying characteristics removed (the Commissioner has agreed for example, that it would not be appropriate to disclose details of the staff who were involved in the incidents which led to the reports), the Commissioner has come to the conclusion that disclosure of the anonymised reports would not, and would not be likely to, prejudice substantially the effective conduct of public affairs.

192.NHS Ayrshire and Arran's Adverse Event Policy outlines the responsibility of members of staff in reporting, managing etc. adverse events.The staff involved are professionals, most of whom are subject to professional codes of practice.The Commissioner considers that disclosure of anonymised CIRs/SAERs will, instead of leading to staff disengaging from the process, have the effect of reassuring staff that NHS Ayrshire and Arran takes adverse events seriously and gives them an opportunity to learn from them.

193.As the Commissioner has concluded that the exemption in section 30(c) does not apply to the anonymised versions of the information withheld from Mr Wilson, he is not required to go on to consider the public interest test in section 2(1)(b).

Section 14 ? vexatious/repeat request

194.Scottish public authorities are not obliged to comply with a request for information if the request is vexatious (section 14(1)) or, where a Scottish public authority has complied with a request from a person for information, to comply with a subsequent request from that person which is identical or substantially similar unless there has been a reasonable period of time between the making of the request complied with and the making of the subsequent request.

195.NHS Ayrshire and Arran advised Mr Wilson, on reviewing his information request, that it considered his request to be vexatious and repeat, except to the extent that his request was for a copy of the action plans arising out the SAERs, on the basis that this part of his request was for different information about a new process.(As noted above, NHS Ayrshire and Arran considered the action plans to be exempt from disclosure under section 27(1) of FOISA.)

196.During the investigation, on being advised by the investigating officer that the Commissioner was unlikely to find that Mr Wilson's request was either vexatious or repeat, NHS Ayrshire and Arran chose to withdraw its reliance on section 14 of FOISA.Accordingly, the Commissioner will not examine in detail the submissions made by NHS Ayrshire and Arran on these points.However, he is obliged to determine whether NHS Ayrshire and Arran complied with Part 1 of FOISA in originally determining that Mr Wilson's request was vexatious and/or repeat.

197.As is clear from the background to this request, Mr Wilson has an interest in CIRs and action plans and has entered into correspondence with NHS Ayrshire and Arran in an attempt to obtain copies of the CIR (and subsequent action plan) he was involved with.The difficulties he faced as a staff member in obtaining this information, and his concerns about NHS Ayrshire and Arran's policies and practice in relation to that and other CIRs has clearly led to his wider interest in the CIRS and, more recently, the SAERs, as a whole.

198.NHS Ayrshire and Arran advised Mr Wilson, on reviewing his request, that it believed that it had responded openly and fairly to his request, and to his previous requests.It considered that it had disclosed information when "appropriate and available".It also advised Mr Wilson that, as all of his requests are for the same or similar information, it was deeming his request to be vexatious (to this extent, NHS Ayrshire and Arran appear to have conjoined the tests in sections 14(1) and (2)).It then went on to advise Mr Wilson that CIRs and SAERs are confidential in their entirety and that it did not hold any CIR action plans, with the exception of the action plan already provided to him.

199.As can be seen from the remainder of this decision, it is clear that the CIR and SAERS which NHS Ayrshire and Arran told Mr Wilson that it held could in fact be disclosed in an anonymised form and that NHS Ayrshire and Arran did in fact hold the CIR action plans.As such, the Commissioner finds that Mr Wilson's request was not vexatious under section 14(1) of FOISA.

200.Having also considered the earlier requests made by Mr Wilson and the responses by NHS Ayrshire and Arran, the Commissioner finds that Mr Wilson's request of 10 February 2011 was not identical or substantially similar to a request which NHS Ayrshire and Arran had previously complied with.As such, he finds that Mr Wilson's request was not repeat under section 14(2) of FOISA.

Information to be disclosed

201.With this decision, the Commissioner will provide NHS Ayrshire and Arran with a copy of the reports and action plans which he considers fall within the scope of Mr Wilson's request, marked up to show the information which he considers should be redacted in order to anonymise the reports and plans, and which anonymised reports and plans the Commissioner considers that NHS Ayrshire and Arran has a duty to disclose in order to comply with its duty under section 1(1), as expressed by Lord Rodger in the CSA case.

Conclusion

202.In conclusion, this decision involves perhaps the most serious catalogue of failings to search for and find information within the scope of a request that the Commissioner has ever had to deal with.Claims were made to the applicant which turned out to be wrong; prior assurances were given to the Commissioner which turned out to be unjustified; explanations for the failings were given in the course of this investigation which cannot be relied upon. Were it not for the persistence of Mr Wilson both in terms of his request to the authority (which the authority at one point characterised as being vexatious) and in his application and submissions to the Commissioner, it would appear to be the case that the authority would have continued to insist that information was not held. At the very least, this constitutes a significant failure of records management. Given the nature of the information, involving critical incidents and significant adverse events, which needs to be shared professionally for lessons to be learned and for the public to be reassured that action has been taken in response, the information failings may point to wider governance issues which have to be addressed.

203.This decision is being communicated to the Chairman of Ayrshire and Arran NHS Board as well as to the Chief Executive, and will also be shared with other relevant parties. Furthermore, the Commissioner, who is about to demit office, will recommend to the new Commissioner (who takes up post on 1 May 2012), that consideration is given to carrying out an assessment of NHS Ayrshire and Arran's freedom of information practices.Such an assessment should also include a consideration of whether a practice recommendation should be issued.

DECISION

The Commissioner finds that Ayrshire and Arran NHS Board (NHS Ayrshire and Arran) generally failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mr Wilson.

He finds that, by applying the exemption in section 25(1) of FOISA to the small amount of information which it had already supplied to Mr Wilson, NHS Ayrshire and Arran complied with FOISA.

The Commissioner also finds that NHS Ayrshire and Arran was entitled to withhold certain personal data under section 38(1)(b) and information constituting a deceased person's health record in terms of section 38(1)(d) of FOISA.However, the Commissioner finds that NHS Ayrshire and Arran failed to comply with Part 1 of FOISA and, in particular, with section 1(1) of FOISA, by failing to supply this information in an anonymised form to Mr Wilson.

The Commissioner also finds that NHS Ayrshire and Arran failed to comply with Part 1 of FOISA in the following respects:

by advising Mr Wilson, in line with section 17(1) of FOISA, that it did not hold any CIR action plans, with the exception of the plan they had already provided to him;

by refusing to comply with Mr Wilson's request on the basis that it was vexatious under section 14(1) of FOISA and repeat under section 14(2) of FOISA

by applying the exemption in section 27(1) of FOISA to the SAERaction plans and, later, to the CIR action plans;

by applying the exemption in section 38(1)(b) of FOISA to the personal data of senior officials responsible for carrying out the reviews, as described above and

insofar as the Commissioner did not find the information to be exempt from disclosure under sections 38(1)(b) or (d), by applying the exemptions in sections 26(a), 30(c) and 36(2) of FOISA to information.

The Commissioner therefore requires NHS Ayrshire and Arran to disclose the CIRs, SAERs and action plans to Mr Wilson, in a form which is suitably anonymised to prevent the disclosure of personal data (except to the extent that the disclosure of the personal data is permitted by the first data protection principle) and of deceased individuals to the extent that the CIRs, SAERs and action plans comprise their health records, as defined in section 1(1) of the Access to Health Records Act 1990.The Commissioner requires these steps to be taken by Tuesday 10 April 2012.

Appeal

Should either Mr Wilson or Ayrshire and Arran NHS Board wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only.Any such appeal must be made within 42 days after the date of intimation of this decision.

Kevin Dunion
Scottish Information Commissioner
21 February 2012

Appendix

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

?

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

?

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that ?

(a) the provision does not confer absolute exemption; and

(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption ?

?

(e) in subsection (1) of section 38 ?

?

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

14 Vexatious or repeated requests

(1) Section 1(1) does not oblige a Scottish public authority to comply with a request for information the request is vexatious.

(2) Where a Scottish public authority has complied with a request from a person for information, it is not obliged to comply with a subsequent request from that person which is identical or substantially similar unless there has been a reasonable period of time between the making of the request complied with and the making of the subsequent request.

17 Notice that information is not held

(1) Where-

(a) a Scottish public authority receives a request which would require it either-

(i) to comply with section 1(1); or

(ii) to determine any question arising by virtue of paragraph (a) or (b) of section 2(1),

if it held the information to which the request relates; but

(b) the authority does not hold that information,

it must, within the time allowed by or by virtue of section 10 for complying with the request, give the applicant notice in writing that it does not hold it.

?

25 Information otherwise accessible

(1) Information which the applicant can reasonably obtain other than by requesting it under section 1(1) is exempt information.

?

27 Information intended for future publication

(1) Information is exempt information if ?

(a) it is held with a view to its being published by ?

(i) a Scottish public authority; or

(ii) any other person,

at a date not later than twelve weeks after than on which the request for the information is made;

(b) when that request is made the information is already being held with that view; and

(c) it is reasonable in all the circumstances that the information be withheld from disclosure until such date as is mentioned in paragraph (a).

?

 

30 Prejudice to effective conduct of public affairs

Information is exempt information if its disclosure under this Act-

?

(c) would otherwise prejudice substantially, or be likely to prejudice substantially, the effective conduct of public affairs.

36 Confidentiality

?

(2) Information is exempt information if ?

(a) it was obtained by a Scottish public authority from another person including another such authority); and

(b) its disclosure by the authority so obtaining it to the public (otherwise than under this Act) would constitute a breach of confidence actionable by that person or any other person.

38 Personal information

(1) Information is exempt information if it constitutes-

?

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

?

(d) a deceased person's health record.

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

?

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

?

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

"health record" has the meaning assigned to that term by section 1(1) of the Access to Health Records Act 1990 (c.23)

?

44 Recommendations as to good practice

(1) If it appears to the Commissioner that the practice of a Scottish public authority in relation to the exercise of its functions under this Act does not conform with the code of practice issued under section 60 or 61, the Commissioner may give the authority a recommendation (in this Act referred to as a "practice recommendation").

(2) A practice recommendation must ?

(a) be in writing and specify the code and the provisions of that code with which, in the Commissioner's opinion, the authority's practice does not conform; and

(b) specify the steps which that officer considers the authority ought to take in order to conform.

(3) The Commissioner must consult the Keeper of the Records of Scotland before giving a practice recommendation to a Scottish public authority (other than the Keeper) in relation to conformity with the code of practice under section 61.

65 Offence of altering etc. records with intent to prevent disclosure

(1) Where ?

(a) a request for information is made to a Scottish public authority; and

(b) the applicant is, under section 1, entitled to be given the information or any part of it,

a person to whom this subsection applies who, with the intention of preventing the disclosure by the authority of the information, or part, to which the entitlement relates, alters, defaces, blocks, erases, destroys or conceals a record held by the authority, is guilty of an offence.

(2) Subsection (1) applies to the authority and to any person who is employed by, is an officer of, or is subject to the direction of, the authority.

(3) A person guilty of an offence under subsection (1) is liable, on summary conviction, to a fine not exceeding level 5 on the standard scale.

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires ?

?

"personal data" means data which relate to a living individual who can be identified ?

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

?

2 Sensitive personal data

In this Act "sensitive personal data" means personal data consisting of information as to-

?

(e) [the data subject's] physical or mental health or condition,

?

(g) the commission or alleged commission by [the data subject] of an offence, or

(h) any proceedings for any offence committed or alleged to have been committed by [the data subject], the disposal of such proceedings or the sentence of any court in such proceedings.

Schedule 2: Conditions relevant for purposes of the first principle: processing of any personal data

1.The data subject has given his consent to the processing.

?

6(1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

?

Schedule 3: Conditions relevant for purposes of the first principle: processing of sensitive personal data

1.The data subject has given his explicit consent to the processing of his personal data.

?

Access to Health Records Act 1990

1 "Health record" and related expressions

(1) In this Act "health record" means a record which ?

(a) consists of information relating to the physical or mental health of an individual who can be identified from that information, or from that and other information in the possession of the holder of the record; and

(b) has been made by or on behalf of a health professional in connection with the care of that individual;

?

Human Rights Act 1998

6 Acts of public authorities

(1 ) It is unlawful for a public authority to act in a way which is incompatible with a Convention right.

?

Schedule of documents

Names of the 52 CIRs/SAERs which fall within the scope of Mr Wilson's request

 

Patient 2991	Patient Y	Patient A
Patient B	WR9837	WR10912
WR5955	WR22166	WR21277, WR21278, WR21285
WR25271	IR1E03310	WR26104
Patient Z	WR26520, WR26522, WR26523, WR26775	WR28043, WR28040
WR27042	WR27469	WR26818, WR27015
ID301009	ID031109, IR1E05779	WR30140
IR1E05613	WR30774, WR30775	WR32656
WR32655	ID3745	WR24554
WR21372	NEAR MISS DUPLICATE PATIENT NUMBERS AT AYR HOSPITAL	Patient C
Patient W	WR14095	WR7482
Patient X	WR31632	ID2254
ID2276, ID6964, ID6967	ID90	ID701
WR32651	ID2243	3071
[Name of hospital] absconsion	Podiatry	Radiology reporting
Diathermy machines	Child protection	Opiate overdose
[Initials of patient] Absconsion	Kidney	Missed diagnosis
Plasma

 

---

[1] http://www.clinicalgovernance.scot.nhs.uk/section5/tools.asp

[2] http://www.scotland.gov.uk/Resource/Doc/933/0109425.pdf

[3] http://www.nhsaaa.net/publications/significant-adverse-event-reports.aspx

[4] Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:1995:281:0031:0050:EN:PDF

[5] [2008] UKHL 47 http://www.bailii.org/uk/cases/UKHL/2008/47.html

[6] http://www.itspublicknowledge.info/nmsruntime/saveasdialog.aspx?lID=661&sID=133 (This is a link to the November 2011 version of the Commissioner's guidance. However, the factors set out here were also included in the version of the guidance which was extant at the time when NHS Ayrshire and Arran responded to Mr Wilson's request.)

[7] http://www.nhsaaa.net/your-health/your-health-a-e/an-introduction-to-nhs-ayrshire-arran.aspx

[8] [2011] EWHC 1430 (Admin) http://www.bailii.org/ew/cases/EWHC/Admin/2011/1430.html

[9] [2010] CSIH 43 http://www.scotcourts.gov.uk/opinions/2010CSIH43.html

[10] Mersey Care NHS Trust, 14 January 2008, FS50130130

[11] http://www.nmc-uk.org/Documents/Standards/The-code-A4-20100406.pdf