Data Protection laws have been said to be behind the decision not to name CQC officials alleged to have covered-up a damning internal report. Oh really? Well, yes, perhaps, I argue.
News bulletins today lead with the story that the Care Quality Commission apparently engaged in a cover-up of an internal review report critical of its oversight of University Hospitals Morecambe Bay in 2010, an NHS Trust now subject to investigations over the deaths of at least eight mothers and babies. The allegations of a cover-up were made by a whistleblower interviewed as part of an investigation by Grant Thornton, who were commissioned by CQC to look into its own activites. Potentially particularly damning are remarks at the time attributed to a senior manager at CQC regarding the alleged suppression on the original internal review report
Are you kidding me? This can never be in a public domain, nor subject to FOI
The Grant Thornton report, as published, has redacted the name of this senior manager and a colleague. And the Data Protection Act 1998 (DPA) is pleaded in defence of the redaction. As the Telegraph reports
The names of two individuals who ordered the destruction of evidence of the Care Quality Commission’s failure to investigate the University Hospitals of Morecambe Bay NHS Trust have been redacted from an official report…David Prior, the new chairman of the CQC, said that the names had been redacted because of “data protection concerns” and because the watchdog fears being sued…”to publish it with the names would breach the Data Protection Act.We would have been open to being sued on that basis”
As a number of people have pointed out, this is certainly questionable. Ben Bradshaw MP is reported by the Guardian as saying in Parliament that
the [Data Protection Act] allows exceptions in cases where protecting the public is an issue
and, in a thundering editorial, Health Policy Insight say the decision
is, quite simply, bullshit…Nor is it just a minor pellet of bullshit. This is epic, hog-whimpering and noxious bullshit…The Data Protection Act affords specific exemption at Section 55 2(d) “to a person who shows … that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest”…Moreover, the Information Commissioner’s Office, which enforces the Data Protection Act, is explicit in its advice on Principles One and Two (those dealing with an individual personal data) that fairness is crucial: “it depends on whether it would be fair to do so … personal data must not be processed for any purpose that is incompatible with the original purpose or purposes”
While I admire the level of polemic, HPI are rather mistaken in their analysis of the DPA. And I submit that it was not necessarily wrong for David Prior to be advised that disclosure of the name of the person might breach the DPA. I would stress that I am not suggesting that those responsible for failures at CQC should not be accountable for those failure, nor, if it is true that the original internal review report was suppressed, that those who did so should not also be accountable. What I do suggest is that, on the information currently available, there is perhaps a lack of hard evidence to establish to an appropriate level of certainty that the person or persons alleged to have suppressed the report did so, or did so in the way they are alleged to have done. For that reason, it could indeed be a breach of the DPA to disclose the names at this stage. I say this despite the parliamentary statement by the Secretary of State for Health, to the effect that he had not wanted the redactions, and that
There should be no anonymity, no hiding place, no opportunity to get off scot free for anyone at all who was responsible for this
(On this, we should perhaps remember the unlawful decision by Mr Bollocks [ed: Balls] peremptorily to require the dismissal of Sharon Shoesmith. Politicians are first and foremost politicians. They are not generally there to be lawyers or employers.)
The name of the person involved is clearly going to constitute “personal data” according the definition in section 1(1) of the DPA. And, for these purposes, the “data controller” (with whom lies the decision as to whether to disclose or redact, and to whom liability for a breach of DPA attracts) is CQC itself. HPI cite section 55(2)(d) of the DPA, which broadly provides that the offence of unlawfully obtaining personal data does not apply if it has been done in the public interest. This provision deals with a criminal offence of inter alia disclosing personal data without the consent of the data controller. This clearly does not apply here.
HPI are correct, however, in pointing to the first principle (as listed in Schedule One) of the DPA, and its reference to fairness (although they are talking nonsense when they refer to the first two principles being those “dealing with an individual personal data” [sic] – the whole of the DPA applies to an individual’s personal data). The first principle provides that the processing (and disclosure of a name will be “processing” under the DPA) of personal data must be fair and lawful.
When deciding whether names of public officials should be disclosed (albeit in response to a Freedom of Information request) the Information Commissioner (ICO) says
[the public authority] must decide whether disclosure would breach Principle 1 of the Data Protection Act (the DPA), ie whether it would be fair and lawful to disclose the information.
Whether the disclosure is fair will depend on a number of factors including:
the consequences of disclosure;
the reasonable expectations of the employees; and
the balance between any legitimate public interest in disclosure and the rights and freedoms of the employees concerned…
These are the factors CQC would need to take into account, and one can see that a balancing exercise would ensue. The consequences of disclosure – of what appear merely to be allegations – for the person or persons involved could be grave, and be an important factor in identifying what his or her rights and freedoms are. On the other side, there would be appear to be a clear public interest in disclosure, notwithstanding that, I repeat, these are mere allegations, on the basis that someone taking such a significant decision as to try (allegedy) to suppress publication of the adverse report should be accountable (as should the CQC as their employer) for such actions. The issue as to reasonable expectations is more difficult however. If the person or persons has been told in explicit terms that their name will not be disclosed, they may have very strong expectations that this will not happen. As to whether those expectations are reasonable, one would need to know the terms upon which any undertaking might have been given. Employment rights might well be engaged
Also to be considered is that the naming of the person or persons in circumstances in which it might subsequently transpire that the allegations were not true could give rise to a successful claim in defamation. Indeed, as Robin Hopkins has observed, DPA is increasingly used as a primary claim in actions involving defamatory publications.
I repeat, none of this is to defend the actions of CQC, nor, if the allegations are shown to be true, to defend the actions of anyone who suppressed the report. It is simply to say that the claim that the DPA might be engaged at this point, and potentially breached if disclosure of names happened. Disclosure, in a clearly fair and lawful way, might follow in due course.
I note that the Deputy Information Commissioner is reported tonight as saying
The Data Protection Act does not specifically prevent people being named publicly, but instead talks about using information fairly and considering what expectations of confidentiality people may have had when providing their personal information.
It is important the Data Protection Act is not used as a barrier to keep information out of the public domain where there is an overriding public interest in disclosure.
David Smith is a clever and astute man. He did not say the names should be revealed. That is revealing.
My attention has been drawn to last night’s episode of BBC’s Newsnight on which David Smith’s boss, Information Commissioner Christopher Graham. As the BBC itself reports, he said
“This feels like a public authority hiding behind the Data Protection Act – it’s very common but you have to go by what the law says and the law is very clear.
“You have to process data fairly, you have to take into account people’s expectation of confidentiality.”
He said that was “obviously” the case with patient data in particular.
But when it came to officials, “there you have to apply a public interest test”, he added.
He said he was “not convinced” the CQC had been correctly advised.
He ended his short interview by saying “I think [the CQC] are going to have to look at this again”.
Fair enough. He’s right and I’m wrong then? Well, no – he still didn’t by any means say that disclosure now had to happen (and, in his role, he would have been be very ill-advised to have done so).
And, prompted by further coverage, and a comment below by Dr Chris Pounder, who probably knows more about Data Protection than the entire staff at the ICO (and that’s not intended as an insult to the latter), I now feel that two other factors might be at play. First, if the allegations quoted in the Grant Thornton report amount to allegations of possible criminal offences (e.g. misconduct in a public office) then there is an arguable need to avoid prejudice to any police investigation. Second, if the person or persons referred to in the report have already taken steps to challenge its veracity – either as a whole, or in respect of specific comments attributed to the whistleblower – then it would be prudent of CQC not to disclose until that challenge (whether it be made informally, or as part of or precursor to legal proceedings) has played out.
That said, when the combined forces of the government and the Information Commissioner are leaning on the CQC at least to review the decision not to disclose names, it would be a bold move to continue to resist. They will though, no doubt, be advised that there remain potential legal risks in doing so, unless they are completely satisfied about the veracity of allegations in the report.
UPDATE 2, 20.06.2013
The CQC has now published the names previously redacted. The letter to the Secretary of State makes clear that
We have reviewed the issues again with our legal advisers (and taken into account the comments of the Information Commissioner). In light of this further consideration, we have come to the view that the overriding public interest in transparency and accountability gives us sufficient grounds to disclose the names of the individuals who were anonymised in the report.
None of this changes my view that there was a clearly arguable legal basis for redaction. Data Protection is wrongly blamed for a lot of things but it was engaged in this instance.
This outcome also raises the rather interesting (if unlikely) possibility that the persons now named could complain to the ICO for a determination as to whether disclosure was in fact in breach of their rights under the DPA. Am I wrong to hope that happens?
14 responses to “CQC allegations and data protection”
On Channel 4 news today (Weds), the CQC chair said that
they had legal advice that they could be sued if they published the
names; I think that is tosh. However, the SoS in Parliament could
have named the individuals concerned. One assumes that they have
left naming the officials till later, especially as C4 reported
that the police have been asked whether a crime has been committed
by those involved in the alleged “cover-up”. This latter point
perhaps is more convincing reason not to name at the moment;
however, the names will emerge.
Well they *could* be sued. Maybe not successfully…
David Smith understands his role. He cannot state whether
or not the organisation should disclose because he may have to make
that decision. Were he to state his preferences publcly, then he
would prejudice such a decision. A further problem is that the
first priority for any employee is to the organisational interest
not the public interest. The public interest does not give the
contract nor does it pay the bills. In that regard, it is not
surprising it took a whistleblower to reveal this issue. Do you
think an FOIA would have revealed it. 🙂 However, several questions
still come to mind that need to be asked. First, what is the advice
given by the internal DPA officer regarding the case? You will note
that they sought legal advice so that they can avoid disclosing the
DPA advice under s.42 FOIA. The same exemption does not apply to
the advice from a DPA officer. Second, has anyone asked for the
internal correspondence relating to the decision to get legal
advice? Third, has anyone asked to see the public interest test
(which will not be legal advice) that was used to decide to refuse
to disclose? If the organisation is likely to initiating a
disciplinary procedure against the person who is alleged to have
made the statement, it may be a year before we know the name. First
they would need to investigate the case. This could take weeks or
months. Then, they would need to hold hearings. Once they hold
hearings, they have appeals. Soon, we are looking at 6 months to a
year before the name might be considered to be fair for disclosure.
If the investigations fail to sustain the allegations, then the
name may never be revealed. We return to the public interest and
who decides the public interest. As it stands, the public interest
stops at the door of the organisation because the organisation
decides the public interest not the public or anyone else in this
case. In a curious way the use of the public interest in your
example actually protects people who act worse more because the
potential damage from such disclosure means that it would never be
fair to disclose their names. In other words, the employee will
have the legitimate expectation that the organisation will protect
them just as it protects itself. The question to ask is when would
the public interest be enough to warrant disclosure of improper
employee behaviour … in any case?
Only someone with full knowledge of all the facts about the decision to suppress and the reasons for it qualifies to make the disclosure decision. Were these two mavericks acting in complete disregard of their responsibilities ? Or were their actions due to ‘reasonable’ beliefs about what was expected of them by their employer which may lead to a very different conclusion ? The latter is certainly not far fetched given what we know of NHS culture.
Put another way it is doubtful whether making someone a scapegoat (def: One that is made to bear the blame of others) can be fair processing in DP terms.
It would be interesting to know whether those concerned have served s10 notices …
Pingback: Cumbria hospital deaths: police widen investigation | Video
Pingback: Cumbria hospital deaths: police widen investigation - Government Tenders, Government News and Information - Government Online
Pingback: NHS watchdog will name officials in baby deaths 'cover-up' | Video
Pingback: LED Lighting News » Blog Archive » NHS watchdog will name officials in baby deaths ‘cover-up’
Despite my previous comment I do think the decision to disclose should have been pretty clear cut for the Chief and Deputy, given their positions. Less so for the Media Manager who may have been under some pressure, although much would depend on what her role really was.
Pingback: Transparency: Unintended Consequences | The Centre for the Study of British Politics and Public Life
‘Politicians are first and foremost politicians. They are
not generally there to be lawyers or employers.’ I disagree. You
are confusing the role of a politician, someone who engages in
politics, for example a person who stands at a local council
election even though they may have little hope of winning, with
that of an elected parliamentary representative on the one hand and
of a minister of the crown on the other. (Granted, there are those
who spend almost their entire life, or much of their life, in
politics who thereby become professional politicians. These animals
are of a different sort to the one-off-have-a-goes who stand once
at a local election and never again.) The UK taxpayer pays the
salaries of NHS civil servants. The taxpayer, however, has no
direct say in the selection of any civil servants. All that the
taxpayer can expect is that the Minister of the day will use his or
her power given by parliament properly, in a fair and even handed
manner, to ensure that country’s senior civil servants do their job
properly. If they don’t, then the taxpayer has every right to
expect that the Minister will sack the civil servants concerned and
replace them with others who WILL do the job properly. Where
relatively junior public employees are concerned, there’s a strong
argument that their names should not be revealed in any but the
most exceptional circumstances. Where relatively senior public
employees are concerned, there’s an equally strong argument that
their names should be revealed in all but the most exceptional
circumstances. This case seems to me to be one where the senior
civil servants could reasonably expect that their names would be
revealed given the gravity of the charges against them. If they
feel aggrieved by this, then let them sue the Data Controller for a
breach of their Article 8 rights under the DPA or the HRA. In the
event they sue, win or lose, when the final appeal in the matter of
the aggrieved plaintiffs vs the UK is settled by the Grand Chamber
of the European Court of Human Rights in Strasbourg, then we will
be able to see who is right and who is wrong here.
I’m afraid you’re mistaken. Ministers cannot (as a general rule) sack and appoint civil servants. If they could, the civil service would become, at a stroke, politicised. (Although numbers of special advisors – which are political appointments – are set to increase). Have you read the Shoesmith judgment?
Pingback: Latest News Headlines - Cumbria hospital deaths: police widen investigation
Pingback: CQC and data protection, redux | inforightsandwrongs