CQC and data protection, redux

In June this year I blogged about the furore caused when the Care Quality Commission (CQC) initially refused, citing data protection law, to identify four members of staff who were alleged to have tried to cover up an critical internally-commissioned report into its oversight of the University Hospitals Morecambe Bay NHS Trust.

Even Christopher Graham, the Information Commissioner got involved, saying

This feels like a public authority hiding behind the Data Protection Act – it’s very common but you have to go by what the law says and the law is very clear

and, perhaps as a result of his intervention, the day after the news broke, the CQC changed position, saying

We have reviewed the issues again with our legal advisers (and taken into account the comments of the Information Commissioner). In light of this further consideration, we have come to the view that the overriding public interest in transparency and accountability gives us sufficient grounds to disclose the names of the individuals who were anonymised in the report.

I had wondered if the reason for the initial non-disclosure was because of doubt as to the veracity of the reported cover-up comments, perhaps in conjunction with a challenge by the data subjects, on the basis that publishing that they had made those comments was untrue, and potentially defamatory and, therefore, in breach of the Data Protection Act 1998 (DPA):

on the information currently available, there is perhaps a lack of hard evidence to establish to an appropriate level of certainty that the person or persons alleged to have suppressed the report did so, or did so in the way they are alleged to have done. For that reason, it could indeed be a breach of the DPA to disclose the names at this stage

Yesterday, news emerged that the CQC had published a statement on its website exonerating one of the people named

  • Anna Jefferson had not used “any inappropriate phrases” as attributed to her by one witness quoted in the Grant Thornton report; and

  • Anna Jefferson had not supported any instruction to delete an internal report prepared by a colleague – Louise Dineley.

The CQC regrets any distress Anna Jefferson has suffered as a consequence of this matter

So, it looks like someone was wrongly identified as committing an act of misconduct. Ms Jefferson is said to have been “deeply upset” by the allegations, and describes it as having been a “difficult time”.

In a postscript to my original blog post I wondered idly about

the rather interesting (if unlikely) possibility that the persons now named could complain to the ICO for a determination as to whether disclosure was in fact in breach of their rights under the DPA

It is possible that the statement on the CQC website is in fact an attempt to avoid this, or alternative, legal action. I wonder if Christopher Graham is going to revisit his comments.

1 Comment

Filed under Confidentiality, Data Protection, defamation, Information Commissioner

One response to “CQC and data protection, redux

  1. Tim Turner

    Although there was probably some enthusiastic bandwagon jumping at the time, Christopher Graham’s point was largely right. The fact that the comments are – apparently – untrue can’t be all that much of a surprise given that the whole thing boils down to one person’s word against another. Responsibility for that problem almost certainly lies with the unwise decision to keep inadequate records of whatever was said. This is probably why the auditors gave weight to the one contemporaneous note in the first place.

    I think this whole thing is better off in the open than not. The problems at the CQC needed to be aired, and I think it’s better that the arguments about who said what should be out in the open.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s