In June this year I blogged about the furore caused when the Care Quality Commission (CQC) initially refused, citing data protection law, to identify four members of staff who were alleged to have tried to cover up an critical internally-commissioned report into its oversight of the University Hospitals Morecambe Bay NHS Trust.
Even Christopher Graham, the Information Commissioner got involved, saying
This feels like a public authority hiding behind the Data Protection Act – it’s very common but you have to go by what the law says and the law is very clear
and, perhaps as a result of his intervention, the day after the news broke, the CQC changed position, saying
We have reviewed the issues again with our legal advisers (and taken into account the comments of the Information Commissioner). In light of this further consideration, we have come to the view that the overriding public interest in transparency and accountability gives us sufficient grounds to disclose the names of the individuals who were anonymised in the report.
I had wondered if the reason for the initial non-disclosure was because of doubt as to the veracity of the reported cover-up comments, perhaps in conjunction with a challenge by the data subjects, on the basis that publishing that they had made those comments was untrue, and potentially defamatory and, therefore, in breach of the Data Protection Act 1998 (DPA):
on the information currently available, there is perhaps a lack of hard evidence to establish to an appropriate level of certainty that the person or persons alleged to have suppressed the report did so, or did so in the way they are alleged to have done. For that reason, it could indeed be a breach of the DPA to disclose the names at this stage
Yesterday, news emerged that the CQC had published a statement on its website exonerating one of the people named
Anna Jefferson had not used “any inappropriate phrases” as attributed to her by one witness quoted in the Grant Thornton report; and
Anna Jefferson had not supported any instruction to delete an internal report prepared by a colleague – Louise Dineley.
The CQC regrets any distress Anna Jefferson has suffered as a consequence of this matter
So, it looks like someone was wrongly identified as committing an act of misconduct. Ms Jefferson is said to have been “deeply upset” by the allegations, and describes it as having been a “difficult time”.
In a postscript to my original blog post I wondered idly about
the rather interesting (if unlikely) possibility that the persons now named could complain to the ICO for a determination as to whether disclosure was in fact in breach of their rights under the DPA
It is possible that the statement on the CQC website is in fact an attempt to avoid this, or alternative, legal action. I wonder if Christopher Graham is going to revisit his comments.
One response to “CQC and data protection, redux”
Although there was probably some enthusiastic bandwagon jumping at the time, Christopher Graham’s point was largely right. The fact that the comments are – apparently – untrue can’t be all that much of a surprise given that the whole thing boils down to one person’s word against another. Responsibility for that problem almost certainly lies with the unwise decision to keep inadequate records of whatever was said. This is probably why the auditors gave weight to the one contemporaneous note in the first place.
I think this whole thing is better off in the open than not. The problems at the CQC needed to be aired, and I think it’s better that the arguments about who said what should be out in the open.