Cinneadh
Mr X and Health Service Executive
Ó Oifig an Choimisinéara Faisnéise
Cásuimhir: OIC-151147-H4M9G1
Foilsithe
Teanga: Níl leagan Gaeilge den mhír seo ar fáil.
Ó Oifig an Choimisinéara Faisnéise
Cásuimhir: OIC-151147-H4M9G1
Foilsithe
Teanga: Níl leagan Gaeilge den mhír seo ar fáil.
Whether the HSE was justified, under section 15(1)(a) of the FOI Act, in refusing access to records in relation to an alleged data breach on the ground that no records exist or can be found
22 October 2024
On 16 May 2024, the applicant made an FOI request for access to records relating to an alleged data breach. The applicant referred to submissions the HSE had made to this Office in relation to a previous review of a separate FOI request, in which the HSE had stated that records relating to this alleged data breach were outside the scope of his request at the time. The applicant said he was making a new FOI request for access to these records, “so the documents will be within the scope of the request”.
On 19 June 2024, the applicant made an internal review request, having received no original decision on the matter. On the same day, the HSE issued an acknowledgement letter informing the applicant a decision on his internal review request is due by 10 July 2024. On 11 July 2024, the applicant applied to this Office for a review on the basis of a deemed refusal. He said the HSE had not responded within the allotted time for an internal review.
On 9 August 2024, the HSE issued its effective position, in which it refused the applicant’s request under section 15(1)(a) of the FOI Act. The HSE said that the internal review decision in the previous case, where the records relating to alleged data breach were deemed outside the scope of the request, had been reviewed and upheld by this Office. The HSE stated that its position had not changed. The applicant advised this Office that he wished to continue with the review of the HSE’s decision.
I have now completed my review in accordance with section 22(2) of the FOI Act. In carrying out my review, I have had regard to the correspondence outlined above and to the submissions made by the HSE. I have decided to conclude this review by way of a formal, binding decision.
This review is concerned solely with whether the HSE was justified, under section 15(1)(a) of the FOI Act, in refusing access to records sought by the applicant relating to the alleged data breach, on the basis that no relevant records exist or can be found after all reasonable steps have been taken to locate them.
Section 15(1)(a) of the FOI Act provides for the refusal of a request where the records sought do not exist or cannot be found after all reasonable steps to ascertain their whereabouts have been taken. Our role in a case such as this is to review the decision of the FOI body and to decide whether that decision was justified. This means that I must have regard to the evidence available to the decision maker and the reasoning used by the decision maker in arriving at their decision and also must assess the adequacy of the searches conducted by the FOI body in looking for relevant records. The evidence in “search” cases generally consists of the steps actually taken to search for the records along with miscellaneous and other information about the record management practices of the FOI body, insofar as those practices relate to the records in question.
In his submission to this Office, the applicant said he believed the HSE had misunderstood his request. He said that he had made the new FOI request (the subject of this review) in order to request access to the records related to the alleged data breach which were deemed outside the scope of his previous FOI request.
In its submissions to this Office the HSE advised that having re-examined the applicant’s FOI request, this request was logged for processing to the Mental Health Decision Maker only. The HSE said however, given that data breaches are managed by the Deputy Data Protection Officer (DDPO), the request should also have been logged to the DDPO/Consumer Affairs Decision Maker for processing. The HSE confirmed, having completed an initial search for records that are held by the DDPO, that records do exist which had not been considered.
It is evident that the HSE misunderstood the applicant’s original request and that it has now located records which fall to be considered. Accordingly, I have no basis on which to find the HSE’s refusal of the request was justified under section 15(1)(a) of the Act. In the circumstances, it seems to me that the most appropriate course of action for me to take is to annul the HSE’s decision on the applicant’s request and to direct it to make a fresh decision on the matter in accordance with the provisions of the FOI Act. The applicant will have a right to an internal review and a review by this Office if necessary.
Having carried out a review under section 22(2) of the FOI Act, I hereby annul the HSE’s refusal of the applicant’s request under section 15(1)(a) of the FOI Act. I direct it to carry out a fresh decision making process on the applicant’s request.
Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by a party to a review, or any other person affected by the decision. In summary, such an appeal, normally on a point of law, must be initiated not later than four weeks after notice of the decision was given to the person bringing the appeal.
Richard Crowley
Investigator