Request
Dear sir or madam;
The information contained here addresses responses and queries from a number of trusts and, as such is further clarification of a previous request and not a new request. If you have previously replied, please read this email as it may constitute either a new request or a request for a review, depending on your previous response.
Following the feedback and support I have had from Trusts this week, I am happy to modify my FoI request further by narrowing the scope to make it easier for Trusts to respond.
If it makes it easier for your reporting, I am also happy to withdraw my previous request and for you to treat this as a new request (apologies if you have already replied, but I will use all of the information I have been sent). If you have already replied and did not provide all of the information requestion, please consider this a new request for the missing information or a request for review.
If you do not choose to treat this as a new request, I am also happy to extend the deadline to 23rd August for the existing request, which is effectively an extra 20 days anyway, Taking the second part first, I no longer require your information on information losses/SUIs, instead I will rely on the level 3 and above loss reports published quarterly on SHA websites. For Foundation Trusts, I will obtain the data from Monitor, if FTs are not included in the SHA reporting.
As for the other information, I am still trying to measure the capacity and capability of NHS information governance resources over time (for those that met me in my day job this week, I have explained why). To this end, and to ensure that the information is not exempted under section 40, I would like the information in the following table. You may provide this in a spreadsheet if it is easier for you, if also provided with an organisation chart that shows the roles listed in the hierarchy of the overall organisation, and a copy of relevant organisational job role profiles (NB, not personal ‘job descriptions’ that might constitute personal data): I have inserted a table below as an example. I would like this information for each year your organisation has existed AND completed the Information Governance Toolkit. If you are unsure how many years this applies to, log in to IGT v8, and it will show previous toolkit submissions. I recognise that the resources will change over time, and you might like to have a separate worksheet for each year.
I have not repeated the full list of possible roles, as this has caused confusion, but your Trust will have somebody in each of the following roles:
• Senior Information Risk Owner
• Caldicott Guardian
• Privacy Officer
• Registration Authority Manager
You will also have somebody, more than one person, or the same people responsible for:
• Data Quality
• Information Governance
• Information Security
• Freedom of Information Act requests
• Subject Access requests
• Health and corporate records
Please don’t limit your response to the examples above; it is your IG resources I am trying to measure, roles and job titles will vary from organisation to organisation.
Job Title A4C Band WTE of IG role Years post Age Years in NHS
1-2 3-5 6-7 8-10 11+ >25 25-34 35-44 45-54 55+ 1-2 3-5 6-7 8-10 11+
In addition, I have consulted guidance from the ICO for those Trusts that have claimed section 40 exemptions. Please see the ICO guidance on disclosing salaries: http://www.ico.gov.uk/upload/documents/library/freedom_of_information/practical_application/salary_disclosure.pdf. Please note, I am NOT asking for salaries of staff in post, I want to know what band the job role has been graded at.
I would also remind Trusts of section 16 of the Act, and contact me if you have a problem in complying with this request.
Lastly, for those collecting this information together for the first time, if it is any consolation, all of the information that is current can be used in evidence in IGT v8.
Finally, for Trusts that have relied on section 12 and 17, I would like to point out that the information I am requesting would substantially have been collected for your Information Governance Toolkit returns, at least for v7 requirements 101 and 121, and would be required to be accessible for Audit. Other information should be held in your ESR system or at least by HR, as is generally required by employment legislation (see especially FoIA section 13(1)(b)). I suggest considering both the ICO guidance (http://www.ico.gov.uk/upload/documents/library/freedom_of_information/detailed_specialist_guides/dutytoconfirmordeny.pdf) and NHS Policy (http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/records) , both of which provide guidance on legal and policy requirements. For Trusts that previously complied with CQC C9 (and currently outcome 21), these standards would also apply to the ease of accessing the requested information.
NB: Please do NOT send me the names of your staff.
Our Response
I refer to your email of 26 July requesting information regarding specific roles within NHS East Midlands.
I can confirm in accordance with S.1 (1) of the Freedom of Information Act 2000 (FOIA) that we do not hold all of the information that you have requested. However, the pdf attachments contain most of the information that you require.
We feel that the exemption available to us under Section 40 (2) of the FOIA is engaged in respect of your questions around age and years in the NHS.
Section 40 (2) applies to third party personal data and is exempt from disclosure under the FOIA if disclosure would breach any of the data protection principles contained within Part 1 of Schedule One under Section 4 (1) and (2) of the Data Protection Act 1998. Such information would not be released under the FOIA unless there is a strong public interest. One of the main differences between the FOIA and the Data Protection Act 1998 is that any information released under the FOIA is released into the public domain, not just the individual requesting the information and disclosure under the FOIA must be made with that in mind. As such, any release that identifies an individual through releasing their personal data, even third party personal data is exempt.
All persons whose personal data is processed by NHS East Midlands have an intrinsic right to privacy and these rights are protected by virtue of the Data Protection Act 1998. Release of the information subject to the exemption is likely to compromise those rights.
The Section 40 exemption is an absolute exemption (except in some limited circumstances). This means that it is not necessary to carry out a public interest test. Whilst it is acknowledged that publishing details of the age or number of years of certain NHS East Midlands employees alone has a limited possibility of identifying an individual, when published alongside the other information provided it then increases that possibility. In the present case the issue under consideration is that the persons concerned could be identified by the disclosure of the information in its entirety.
NHS East Midlands would be failing in its lawful duty were it to breach the Data Protection Act in order to furnish a disclosure under the FOIA. Information held relevant to the age and years in the NHS when disclosed in-line with the remaining information falls within the definition of personal data and would result in the breach of the Data Protection Act. NHS East Midlands has a duty to protect the personal data and sensitive personal data of all staff members.
I hope that this information is of use. If you are dissatisfied with the way in which we have dealt with your request you can ask us to review our decision by writing to:-
Mr Moosa Patel
director of Corporate Affairs
NHS East Midlands
Octavia House
Interchange Business Park
Bostock's Lane
Sandiacre
Nottingham
NG10 5QG
If at the conclusion of any review you remain dissatisfied you may complain to the Information Commissioner who can be contacted at:-
The Office of the Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
