Mr. X and Health Service Executive
From Office of the Information Commissioner (OIC)
Case number: OIC-135868-N2C9G5
Published on
From Office of the Information Commissioner (OIC)
Case number: OIC-135868-N2C9G5
Published on
Whether the HSE was justified in refusing access, under section 15(1)(a) of the FOI Act, to further records other than those already released on the ground that no further relevant records could be found and in refusing access, under sections 31(1)(a) and 37, to certain information contained in a number of the released records
28 May 2024
In a request dated 19 October 2022, the applicant submitted a three-part request seeking access to the following:
The HSE did not issue a decision within the specified time period. Therefore, on 18 November 2022 the applicant sought an internal review of this deemed refusal. It would appear that two internal review decisions issued. The first decision, dated 19 December 2022, relating to what was termed the safeguarding files. A total of 135 pages of records were identified and access was granted to 17 pages of records, with the remaining 118 pages refused on the basis of section 31(1)(a) relating to legally privileged information. A second internal review decision issued on 15 February 2023 relating to what was termed the mental health files. A total of 1404 pages of records was identified and partial access was granted to these records, with certain information refused on the basis of section 37(1) relating to personal information.
On 27 February 2023 the applicant appealed the matter to this Office.
I have now completed my review in accordance with section 22(2) of the FOI Act. In carrying out my review, I have had regard to the applicant’s comments in his application for review and to the submissions made by the HSE in support of its decision. I have also had regard to the contents of the records concerned. I have decided to conclude this review by way of a formal, binding decision.
In the course of his application to this Office, the applicant said that it was his understanding that the HSE may have invoked section 38 in this case. Section 38 of the FOI Act sets out the procedure to be followed in certain circumstances where a decision to release information in a record has the potential to affect the interests of a third party. The provision applies in cases where, at some stage in the decision-making process, the FOI body has formed the view that the record in question falls within sections 35, 36 or 37 of the Act but should be released in the public interest. Section 38 therefore requires the public body to notify the affected third parties that it proposes to grant the request in the public interest and provide the third party with an opportunity to make any submissions it wishes to make prior to deciding whether to grant or refuse the request.
I have reviewed the HSE’s decision-making records in this case and I do not see any reference to the HSE having considered the provisions of section 38 as part of this review. Equally, it is not apparent to me how consultation under section 38 could have arisen given the HSE has not proposed to issue any exempt information in the public interest. In the circumstances I do not consider it necessary to examine this provision as part of my review.
In addition, in the course of correspondence with this Office, the applicant also made certain submissions in relation to applicability of section 30(1)(a) in this case. However, as the HSE had not relied on this provision to refuse access to records in this case, I consider that it is not necessary for me to consider the applicability of this provision to the records at issue.
Finally, in the course of the review by this Office the applicant provided a letter which appeared to indicate that there was a third release of records to him as part of this request. More specifically, this later dated 5 April 2023 and including the relevant HSE reference number (FOI 30522) for this request, referred to 63 pages of records and appeared to indicate that these records were part-released to the applicant with certain records refused on the basis of section 30(1)(a) and 31(1)(a). When I queried this with the HSE they provided me with the following information. The HSE said that on 6 March 2023 the applicant emailed the Head of Quality, Safety & Service Improvement (QSSI) and made reference to records received as part of FOI 30522. The HSE said that the applicant was seeking access to records between the Safeguarding team and the HSE’s Deputy Data Protection Officer which fell outside the scope of his original request. The HSE further said that in error an official of the Safeguarding team issued the letter of 5 April 2023 which stated ‘Internal Review 30522’. It said that this was an administrative error and the applicant’s request should in fact have been logged as a new FOI request. In addition, the HSE said that the 63 pages of records referred to in the correspondence do not fall within the applicant’s request in the current case as they relate to a data breach incident with occurred after the applicant submitted the current request.
In light of the HSE’s comments as set out above, I sought further information from it with regard to these 63 pages of records. In response, the HSE supplied this Office with a copy of the records at issue. Having reviewed these records, I am satisfied that in all cases they post-date the applicant’s request in the current case. As such I am satisfied that they fall outside the scope of the current review and I do not need to consider them further as part of my review.
This review is therefore concerned solely with whether the HSE was justified in refusing access to information contained in the records under sections 31(1)(a) and 37(1) of the FOI Act and in refusing access, under section 15(1)(a) of the FOI Act, to further records other than those already released, on the ground that no further relevant records exist or can be found.
Before I address the substantive issues arising, I would like to make a number of preliminary comments.
First, as has previously been explained to the applicant, this Office has no remit to investigate complaints, to adjudicate on how FOI bodies perform their functions generally, or to act as an alternative dispute resolution mechanism with respect to actions taken by FOI bodies.
Secondly, although I am obliged to give reasons for my decision, section 25(3) of the FOI Act requires me to take all reasonable precautions in the course of a review to prevent disclosure of information contained in an exempt record. This means that the extent to which I can describe the contents of the records is limited.
Thirdly, section 18 of the Act provides for the deletion of exempt information and the granting of access to a copy of a record with such exempt information removed. This should be done where it is practicable to do so and where the copy of the record thus created would not be misleading. However, the Commissioner takes the view that neither the definition of a record nor the provisions of section 18 envisage or require the extracting of particular sentences or occasional paragraphs from records for the purpose of granting access to those particular sentences or paragraphs. Generally speaking, therefore, the Commissioner is not in favour of the cutting or "dissecting" of records to such an extent.
The HSE has refused access to 118 pages of records on the basis of section 31(1)(a).
Section 31(1)(a) provides for the mandatory refusal of a request if the record concerned would be exempt from production in proceedings in a court on the ground of legal professional privilege. Legal professional privilege enables the client to maintain the confidentiality of two types of communication:
The concept of "once privileged always privileged" applies where privilege is based on legal advice privilege, but not where it is based on litigation privilege. Thus, unless otherwise lost or waived, legal advice privilege lasts indefinitely. For advice privilege to apply, the communication must be made between a client and his/her professional legal adviser in a situation where the legal adviser is acting in a professional capacity. This Office accepts that privilege can apply to records that form part of a continuum of correspondence that results from the original request for advice.
I should note also that records exempt under section 31(1)(a) do not have to be subject to legal proceedings for legal advice privilege to apply. It is also worth noting that, in order for legal advice privilege to attach to a record, it must have the required quality of confidentiality.
A further factor that needs to be considered is the principle that while in general a document is not privileged if it is not brought into existence for the purpose of seeking or giving legal advice; if a document, which might be described as a ‘pre-existing document’ could, if disclosed, reveal the nature or trend of the legal advice being sought by the client or being provided by the legal adviser then legal professional principle can attach to it. With regard to the records which have been refused, I note that it would appear that in certain cases documents that are pre-existing records are attached to requests from the HSE for legal advice.
In its submission to this Office, the HSE said the relevant records consist of correspondence with its external legal advisers for the purposes of obtaining legal advice. It said the communications arise in the course of the professional lawyer-client relationship and that the communications are confidential in nature and for the purposes of obtaining legal advice.
I have examined the pages of records which have been refused under section 31(1)(a). I must be circumspect in my description of the records. I can say they comprise communications between the HSE and its external solicitor in relation to two specific matters; with pages 1-60 of the records relating to a CORU complaint and pages 61-118 relating to a potential data breach.
Having examined the records, and bearing in mind the provisions of section 18, I am satisfied that, with the exception of what I will refer to below, the records comprise correspondence between the HSE and its legal advisers seeking or providing legal advice, or comprise part of a continuum of correspondence that results from the original request for advice, and that section 31(1)(a) applies. An examination of the information at issue suggests that the relevant communications in this case were clearly intended to be confidential.
As set out above, in certain cases some of the attachments to the HSE’s request for legal advice comprise ‘pre-existing documents’. Having carefully considered the matter, I am satisfied that the nature of the requests for legal advice are such that release of the attachments would reveal the nature or trend of the advice sought. As such, I am satisfied that section 31(1)(a) also applies to these records.
However, with regard to pages 61, 62, 63, 117 and 118 of the relevant records, I am not satisfied that these records attract legal privilege. These records comprise correspondence from the applicant submitting requests under the FOI Act and/or responses from the HSE to such requests. Therefore, while I do not consider that section 31(1)(a) applies to these records, equally I am satisfied that the applicant is already in possession of such records.
On that basis I am satisfied that pages 1-60 and 64-116 of the records termed the safeguarding file attract legal advice privilege and I find therefore that the HSE was justified in refusing access to them on the basis of section 31(1)(a). I am also satisfied that pages 61, 62, 63, 117 and 118 of the safeguarding file comprise correspondence from the applicant or to the applicant from the HSE and as such I am satisfied that the applicant is already in possession of this information.
The HSE has refused access to certain information in the applicant’s mental health files on the basis of section 37(1).
Section 37(1) provides that, subject to the other provisions of the section, an FOI body shall refuse a request if access to the record concerned would involve the disclosure of personal information relating to an individual or individuals other than the requester. This does not apply where the information involved relates to the requester (section 37(2)(a) refers).
However, section 37(7) provides that, notwithstanding subsection (2)(a), an FOI body shall refuse to grant a request if access to the record concerned would, in addition to involving the disclosure of personal information relating to the requester, also involve the disclosure of personal information relating to an individual or individuals other than the requester (commonly known as joint personal information). In essence, this means that while section 37(1) does not provide a basis for refusing access to personal information that relates solely to the requester, if that personal information is inextricably linked to personal information relating to parties other than the applicant, then section 37(1) applies. It is also important to note that the fact the applicant may be aware of the identity of the other parties does not mean that the information cannot be protected under section 37(1).
For the purposes of the Act, personal information is defined as information about an identifiable individual that either (a) would ordinarily be known only to the individual or members of the family, or friends, of the individual, or (b) is held by an FOI body on the understanding that it would be treated by that body as confidential. The Act details fourteen specific categories of information which are included in the definition without prejudice to the generality of the forgoing definition, including (xiv) the views or opinions of another person about the individual.
Certain information is excluded from the definition of personal information, as set out in section 2 of the FOI Act. Paragraph (I) provides that where the individual is or was a staff member, the definition does not include the name of the individual or information relating to the office or position or its functions or the terms upon and subject to which the individual holds or held that office or occupies or occupied that position or anything written or recorded in any form by the individual in the course of and for the purpose of the performance of those functions.
Paragraph (I) does not provide for the exclusion of all information relating to staff of an FOI body. The Commissioner takes the view that the exclusion is intended to ensure that section 37 will not be used to exempt the identity of a public servant in the context of the particular position held or any records created by the public servant while carrying out his or her functions. The exclusion to the definition of personal information at Paragraph (I) does not deprive staff members in FOI bodies of the right to privacy generally.
Mindful of the provisions of section 25(3), I cannot provide a detailed description of the outstanding information in the records. However, I can say that the information in the records which has been redacted relates to individuals other than the applicant. In certain cases the information comprises sensitive information relating to other individuals known to the applicant, including information relating to the relationship between those individuals and the applicant.
Having examined the withheld information, I am satisfied that it comprises either personal information relating solely to individuals other than the applicant, or personal information relating to the applicant that is inextricably linked to personal information relating to other identifiable individuals i.e. joint personal information. I am satisfied that the release of any additional information would involve disclosure of personal information relating to individuals other than the applicant and that section 37(1) applies.
Section 37(2) of the FOI Act sets out certain circumstances in which 37(1) does not apply. However, I am satisfied that the relevant circumstances do not arise in this case. That is to say, (a) the information does not relate solely to the applicant; (b) the individuals to whom the information relates have not consented to the release of the information; (c) the information is not of a kind that is available to the general public; (d) the information does not belong to a class of information which would or might be made available to the general public; and (e) the disclosure of the information is not necessary to avoid a serious and imminent danger to the life or health of an individual.
Section 37(5) provides that a request that would fall to be refused under subsection (1) may still be granted where, on balance, (a) the public interest that the request should be granted outweighs the public interest that the right to privacy of the individual to whom the information relates should be upheld, or (b) the grant of the request would benefit the person to whom the information relates. No argument has been made that the release of the records to the applicant would benefit the other individuals, nor is it apparent to me how release would do so. I find that section 37(5)(b) does not apply.
Before I consider the applicability of section 37(5)(a), there are a number of important points to note. First, section 13(4) provides that, subject to the Act, in deciding whether to grant or refuse an FOI request, any reason that the requester gives for the request and any belief or opinion of the FOI body as to the reasons for the request shall be disregarded. In relation to the question of the public interest, this means that I cannot have regard to the applicant's motives for seeking access to the records at issue, except in so far as those motives reflect, or overlap with, what might be regarded as true public interest factors in favour of release of the records, i.e. insofar as the concerns raised in relation to the request may also be matters of general concern to the wider public.
Secondly, it is important to note that the release of records under the FOI Act must be regarded, in effect, as release to the world at large, given that the Act places no constraints on the uses to which a record released under the Act can be put. With certain limited exceptions provided for under the Act, FOI is not about granting access to information to particular individuals only and as noted above, a requester's reasons for making a request are generally not of relevance. Thus, records are not released under FOI for any limited or restricted purpose.
All of this means that in considering whether a right of access exists to records under section 37(5)(a) of the Act, any decision to grant access would be on the basis that there is an overriding public interest in the release of the records effectively to the world at large that outweighs the privacy rights of the third party individuals concerned.
In considering where the balance of the public interest lies in this case, I have had regard to section 11(3) of the Act which provides that in performing any functions under the Act, an FOI body must have regard to, among other things, the need to achieve greater openness in the activities of FOI bodies and to promote adherence by them to the principles of transparency in government and public affairs and the need to strengthen the accountability and improve the quality of decision making of FOI bodies. However, in doing so, I have also had regard to the judgment of the Supreme Court in The Minister for Communications, Energy and Natural Resources and the Information Commissioner & Ors [2020] IESC 57 (“the Enet case”). In that case, the Supreme Court found that a general principle of openness does not suffice to direct release of records in the public interest and “there must be a sufficiently specific, cogent and fact-based reason to tip the balance in favour of disclosure”. Although the Court’s comments were made in cases involving confidentiality and commercial sensitivity, I consider them to be relevant to the consideration of public interest tests generally.
In this case, while the applicant did not identify any specific public interest factors in favour of the release of the records at issue that might outweigh, on balance, the privacy rights of the other individuals, he indicated in his correspondence with this Office that he wants access to the records as he alleges that his private information was unlawfully obtained by staff of the HSE in a manner which violated his privacy and confidentiality. While the applicant has essentially expressed a private interest for seeking access to the records, it seems to me that his reasons for seeking access to the records are reflective of a public interest in ensuring that appropriate data protection procedures are followed by the HSE.
On the other hand, the FOI Act recognises the public interest in the protection of the right to privacy both in the language of section 37 and the Long Title to the Act (which makes clear that the release of records under FOI must be consistent with the right to privacy). It is also worth noting that the right to privacy has a constitutional dimension, as one of the unenumerated personal rights under the Constitution. Privacy rights will therefore be set aside only where the public interest served by granting the request (and breaching those rights) is sufficiently strong to outweigh the public interest in protecting privacy. Moreover, even where an overriding public interest in granting the request exists, there is a discretionary element to the application of section 37(5)(a).
I accept that there is a public interest in enhancing transparency around the manner in which the HSE safeguards the private information of clients of its services. However, it is not apparent to me how the release of inherently sensitive and private information relating to individuals other than the applicant, effectively, or at least potentially, to the world at large, would enhance transparency around the manner in which the HSE carries out it functions. In the circumstances, I do not accept that the public interest in releasing the information to which access have been refuses in the records outweighs, on balance, the privacy rights of the other individuals. I find, therefore, that section 37(5)(a) does not apply.
In conclusion, I find that the HSE was justified in refusing access to information in the relevant records on the basis of section 37(1) and 37(7) of the FOI Act.
In his application to this Office, the applicant has argued that further records exist relevant to his request and as such the provisions of section 15(1)(a) are of relevance.
Section 15(1)(a) of the FOI Act provides for the refusal of a request where the records sought do not exist or cannot be found after all reasonable steps to ascertain their whereabouts have been taken. In such cases, the role of this Office is to review the decision of the FOI body and to decide whether that decision was justified. This means that I must have regard to the evidence available to the decision maker and the reasoning used by the decision maker in arriving at his/her decision and I must assess the adequacy of the searches conducted by the FOI body in looking for relevant records.
During the course of the review, the HSE provided submissions to this Office in which it provided details of the searches carried out for relevant records and of its explanation as to why no further relevant records could be found. As this Office has already provided the applicant with those details, I do not propose to repeat them in full here.
I also put specific questions to the HSE with regard to certain discrete matters raised by the applicant in his application for review. With regard to the two audio files which the applicant referred to his application to this Office, the HSE said that the clinician involved with the Endeavour Programme has confirmed that he has provided all relevant records, including clinical notes, for the period stated. The HSE further informed me that at a meeting with the clinician, the applicant provided some audio recordings that the HSE have said were covertly made of some of his therapy sessions. The HSE informed me that, as per the HSE IT policy, these recordings were not put on a USB key/storage device and the applicant retained the original recordings. The HSE said that it is their position that these two digital audio recordings which were provided by the applicant to the clinician are not considered to form part of the applicant’s clinical file as these records were not created by the HSE. In addition, the HSE said that, to protect the HSE from computer viruses and other malicious software, no electronic document or file from any source outside of the HSE can be opened by HSE staff unless it has first been scanned for known viruses and malicious software. This requirement covers electronic files in any format, including floppy disks, CD’s, DVD’s and email attachments. In summary, it is the HSE’s position that these covert recordings do not form part of the applicant’s clinical file as they were created by him.
The HSE also informed me of the specific search terms utilised to search for electronic records relevant to part (iii) of the applicant’s request and these have been shared with the applicant. The HSE also indicated that as the applicant is not a client of the Safeguarding service, there is no client file to review and therefore the position of the HSE is that the records sought do not exist and never existed in the Safeguarding Office. The HSE also said that complaints made to a professional body by a third party are held and managed by that professional body and not the employer.
In response to the applicant’s contention that a single casefile should exist relating to a certain CORU referral, the HSE said that as it had not made the referral to CORU relating to the professional in question, such a file does not exist. With regard to the applicant’s contention that there should be a response to correspondence from the Deputy Data Protection Officer regarding a possible data breach, the HSE said the matter is with the Data Protection Commission it is awaiting the outcome.
In light of the above, I informed the applicant that it was my view that the HSE had, at that stage taken all reasonable steps to ascertain the whereabouts of relevant records. I invited the applicant to make further submissions if he remained of the view that further relevant records should exist.
In response, the applicant once again queried whether the HSE held the two audio files referred to above. The applicant also queried what physical searches had been conducted for records falling within the scope of his request. With regard to part (iii) of his request, and specifically the reference to the fact that as he is not a client of the Safeguarding service there is no client file to review, the applicant said that he is aware that he is not a client of that service. However, the applicant said that he understands that the named social worker ‘unlawfully contacted and met with my clinicians’ and as such there should be correspondence relating to such contact. In addition, the applicant supplied screenshots of two instances which he contends demonstrate that the social worker in question contacted his clinical team. With regard to the HSE’s contention that complaints made to a professional body by a third party are held and managed by that professional body, the applicant said that it is his understanding that if any employee is a registrant of a regulatory board, the registrant must inform its employer that there is a matter before the regulatory body which could affect its employment. As such the applicant considers that there should be records held by the HSE relating to his CORU complaint. The applicant also submitted further correspondence on 13 May 2024 again referring to these screenshots and indicating his view that the HSE clearly held these records as they were referred to in a separate appeal by the applicant to the Data Protection Commission (DPC).
With regard to the HSE’s contention that electronic searches were conducted by the Principal Social Worker, the applicant referred to an email dated 20 December 2022 from him to the social worker in question wherein he put specific queries in relation the types of searches which had been conducted following this request. The applicant further indicated that he did not receive a substantive response to his queries. Finally, the applicant referred the HSE’s response in relation to the safeguarding file and whether there should be a response to the correspondence relating to a possible data breach. The applicant said that he maintains his position that records should exist in relation to the relevant response.
As indicated above, I provided details of the applicant’s comments to the HSE. With regard to the two audio files, the HSE referred again to the HSE’s ICT Acceptable Usage Policy and said once again that the recordings which were submitted by the applicant were not put on a USB key/storage device and do not form part of the applicant’s clinical file. The HSE said that its policy further states that electronic documents or files, from any source outside the HSE, should not be opened until they have first been scanned for known viruses and other malicious software. The HSE also noted that the applicant is in possession of the original recordings to which he refers.
With regard to the applicant’s comments in relation to physical searches, the HSE said that all relevant members of the applicant’s multi-disciplinary team have been requested to provide any records they hold on multiple occasions due to the multiplicity of requests for records submitted by the applicant. The HSE provided this Office with a table listing sixteen individuals who were contacted in relation to records relating to the applicant. The HSE also confirmed that the applicant’s hard copy physical files, including clinical files and FOI and data protection/SAR files were searched.
With regard to part (iii) of the applicant’s request, the HSE said that with regard to the screenshots provided by the applicant, as there is no information in these emails relating to the applicant they would not be deemed to fall within the scope of his request. The HSE further indicated that any information provided by the safeguarding team to CORU was provided under summons following a request from the latter body and the management and sharing of such information lies with CORU.
The HSE further said that CORU is an independent statutory body who deals with individual complaints relating to registered parties. It said that the applicant’s request relates to communications between a specific staff member in the safeguarding team and CORU. It said that this matter relates to an internal HR matter relating to the staff member concerned and not the applicant.
With regard to the applicant’s comments that he had previously put certain questions to the Principal Social Worker with regard to the particular searches which she had conducted in relation to his request, the HSE said that this correspondence from the applicant followed the issuance of the first internal review decision which issued on 19 December 2022. It said that while it acknowledged the applicant’s subsequent correspondence, it remained of the view that all key searches had been completed.
With regard to the applicant’s comments in relation to correspondence relating to a potential data breach, the HSE informed me that the applicant has now submitted a Subject Access Request (SAR) seeking access to all of the records relating to the alleged breach. The HSE indicated that a response to this SAR issued to the applicant on 21 February 2024.
In sum, it is the HSE’s position that all reasonable steps have, at this stage, been taken to ascertain the whereabouts of records coming within the scope of the applicant’s request and that no further relevant records exist or can be found. It is important to note that it is possible, and it is clearly envisaged by the Act, that records may exist, but still may not be found after all reasonable steps have been taken to ascertain their whereabouts. In certain cases, and depending on the circumstances, an FOI body may not be a position to state definitively what happened to the records or why they cannot be found. However, this Office takes the view that, in acknowledgement of the fact that situations can arise where records cannot be found, the FOI Act does not require such certainty. Rather, it requires the body to take all reasonable steps to ascertain their whereabouts. Moreover, the FOI Act does not require an FOI body to continue searching indefinitely for records that cannot be found. We may conclude that an FOI body has conducted reasonable searches even where records were known to have existed but cannot be found.
The question I must consider in this case is whether the HSE has taken all reasonable steps to ascertain the whereabouts of relevant records. Having considered the details of the searches undertaken and its explanation as to why no further records exist or can be found I am satisfied that it has. In particular, with regard to the audio files referred to by the applicant, I accept the arguments put forward by the HSE as to why such files were not identified in the searches conducted following receipt of the applicant’s request. In addition, it is clear that such files are readily available to the applicant.
I have also carefully considered the applicant’s comments that records comprising correspondence to/from a named social worker in relation to the applicant’s CORU complaint should have been identified. Bearing in mind the exclusion at paragraph (I) referred to above, I am satisfied that information relating to a complaint cannot be characterised as being for the purpose of the performance of the relevant social worker’s functions as a staff member of an FOI body. I am therefore satisfied that if records relating to this complaint were to exist, such records would comprise the personal information of the social worker in question. As such, I am of the view that section 37(1) would apply to them. This finding is in keeping with a similar finding I have made in another request made by the applicant to this Office; Case OIC-143105 - Mr. X & HSE available at the following link.
Accordingly, I find that, with the HSE was justified in relying on section 15(1)(a) of the FOI Act to refuse access to any additional records on the ground that no further relevant records exist or can be found after all reasonable steps to ascertain their whereabouts have been taken.
Having carried out a review under section 22(2) of the FOI Act, I hereby affirm the HSE’s decision.
Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by a party to a review, or any other person affected by the decision. In summary, such an appeal, normally on a point of law, must be initiated not later than four weeks after notice of the decision was given to the person bringing the appeal.
Mary Connery, Investigator