Slide background

Tribunal orders disclosure of executive summary of ICO consensual audit

The First-tier Tribunal has ordered the disclosure of the executive summary of a data protection audit ­­the Information Commissioner's Office undertook with consent at a NHS Trust.

In John Slater v Information Commissioner & (Allowed : Freedom of Information Act 2000) [2018] UKFTT 2017_0204 (GRC) the appellant had requested in January 2017 that the University Hospitals of Leicester NHS Trust disclose the summary.

The trust refused disclosure on the basis that:

  • The information was exempt under s.31 FOIA (law enforcement).
  • The trust was entitled to rely on s.31(1)(g) FOIA, in that s.31(2) (a)-(c) were also engaged.
  • The balance of public interest lay in withholding the information ‘to enable proper exploration of the issues referred to in section 31’.

Following a review, it also claimed reliance on s.36 FOIA.

Article continues below...

The ICO subsequently gave advice to the Trust that it was the Commissioner herself, rather than the Trust, whose functions might be prejudiced for the purposes of s.31 FOIA.

The Trust argued that disclosure would damage the Commissioner’s relationships with its stakeholders, the ICO would have to rely on costly formal measures and this would be a disservice to the public.

The Commissioner’s decision notice said that she was satisfied that the exemption in s.31(1)(g) was met. Mr Slater appealed.

Before the Tribunal, the Commissioner argued that she relied heavily on the willingness of data controllers to engage with her. A reluctance of data controllers to co-operate and agree voluntary audits would make her ability to carry out her regulator functions more difficult and time consuming.

However, the FTT said: “It is by no means obvious to us that a decision to disclose on the specific facts of this case, relating to the specific contents of this executive summary, would lead to significantly fewer public authorities co-operating with the Commissioner either in the health sector or on a wider basis.

"In relation to the health sector, at least, we note that there appears to be widescale agreement that executive summaries should be published following a voluntary audit and the Commissioner’s website indicate this is indeed what happens.”

It appeared that the majority of health bodies who have been subject to a consensual audit had, in fact, agreed to the publication of the executive summary on the website, the Tribunal added. “It therefore seems to us that, within the health care sector at least, things may well continue as they are now, and that the decision in this case may well not make a significant difference. It also seems difficult to us to extrapolate an anticipation as to how other data controllers in general would react to a decision to disclose in this case in the absence of any evidence before us.”

The FTT went on to say that it bore in mind the comments in the decision notice which set out the views of the Commissioner herself as to the likelihood of prejudice, and also that the test in s31 FOIA in relation to the word ‘likely’ meant only that there must be a real and significant risk of prejudice arising if the information was released. “We are of the view that that test is met, and on that basis we find that there is, indeed, a causal link between the proposed disclosure and the likely prejudice to the Commissioner’s functions.”

But it added that although it found that the test of likely prejudice was met, it did not find that prejudice to the Commissioner’s functions would be more probable than not to occur, and this was a factor that might be relevant in considering the balance between competing public interests. “In addition, we do not find established the extent of the likely prejudice claimed by the Commissioner. In relation specifically to the Trust, for example, the most that has been said is that the Trust would be reluctant or less willing to engage in the future, not that it would not actually do so.”

In relation to this, the FTT thought that there was some relevance in the documents that Mr Slater had cited that indicated that the existence of compulsory powers was a key driver to voluntary co-operation and that the Trust did, in any event, publish in its annual report details of specific DPA breaches.

The Tribunal reached the conclusion that the application of the public interest test in this case should lead to disclosure.

“It seems to us that any prejudice is ‘likely’ only in the sense that the there is a substantial risk that it will occur, and not that it is more probable or not. In addition it is our view that it has not been shown that disclosure will have a significant impact on the exercise of the Commissioner’s functions, and we would not give so much weight to this factor as the Commissioner has done in the decision notice,” it said.

The FTT pointed out as well that the information request related only to the executive summary of the report of the voluntary audit and not to the report itself.

“It is also not the case that a decision that this executive summary report should be disclosed is a precedent to say that all executive summary reports must be disclosed when requested. The engagement of s31 FOIA and the balance of the public interest must be assessed in each case,” it stressed.

The FTT said there was a very significant public interest in the very large number of patients treated at the trust being assured that it has effective measures – or not, as the case may be – in place to ensure compliance with the Data Protection Act, and in relation to its processing of those patients’ personal data. “In our view this significant public interest outweighs by some amount any limited prejudice that the Commissioner is likely to suffer in the exercise of her functions as a result of disclosure.”

In relation to s.36, the Tribunal said no arguments at all had been presented by the Trust to defend the reliance on this section. “We find there is nothing in this case, and certainly no evidence, which indicates that the exemption in s.36(2) FOIA is made out…..Given the lack of particularisation and evidence from the trust, and our view that the exemption is not therefore established, we would allow Mr Slater’s appeal on this issue also.”

Slide background