Ms. Z and Health Service Executive

Background
Scope of Review
Analysis and Findings
Decision
Right of Appeal

Whether the HSE was justified in refusing access, under section 15(1)(a) of the FOI Act, to further records held its the Occupational Health Department relating to the applicant

16 May 2025

Background

In a request dated 4 September 2023, the applicant sought access to all her personal information held by the HSE’s Occupational Health Department(s) from 30 May 2022 to the date of her request. On 21 September 2023, the HSE release 73 pages of records to the applicant.

On 10 October 2023, the applicant sought an internal review of the HSE’s decision. The applicant said she is seeking:

(1) All previous versions of her occupational health notes dated 16 November 2022 including the original compiled notes and subsequently amended versions,

(2) The attachment to an email dated 9 November 2022 that was not released to her,

(3) Records relating to the follow up of an email from the applicant to a named doctor on 2 December 2022 that was flagged for “Follow Up”,

(4) Records relating to an update referred to in an email dated 9 November 2022 from a named doctor, and

(5) Records relating to a GDPR breach complaint made by the applicant about the Occupational Health Department.

On 6 December 2023, the HSE issued its internal review decision. It released an additional page of notes relating to part 1 above, saying it had accidentally been omitted. The HSE said the attachment referred to in part 2 had been released in its original decision and pointed the applicant to the relevant pages. The HSE said there is no record of a data breach on the applicant’s file and no further records exist in relation to her request. On 30 April 2024, the applicant applied to this Office for a review of the HSE’s decision to refuse her request for records. The applicant referenced various correspondence about her GDPR complaint, communications with a named doctor in Occupational Health and communications from Human Resources which she argues is evidence that further records ought to exist.

During the course of the review, the Investigating Officer provided the applicant with details of the HSE’s submissions outlining the searches it said it had undertaken to locate records relevant to the applicant’s request and its reasons for concluding that it does not hold any further records. The applicant was invited to make submissions in the matter, which she duly did.

I have now completed my review in accordance with section 22(2) of the FOI Act. In carrying out my review, I have had regard to the correspondence outlined above and to the submissions made by both parties. I have decided to conclude this review by way of a formal, binding decision.

Scope of Review

This review is concerned solely with whether the HSE was justified in refusing further records relating to the applicant held by the relevant Occupational Health Department under section 15(1)(a) of the FOI Act.

Analysis and Findings

Section 15(1)(a) of the FOI Act provides for the refusal of a request where the records sought do not exist or cannot be found after all reasonable steps to ascertain their whereabouts have been taken. Our role in a case such as this, is to review the decision of the FOI body and to decide whether the decision was justified. This means that I must have regard to the evidence available to the decision maker and the reasoning used by the decision maker in arriving at his/her decision and also must assess the adequacy of the searches conducted by the FOI body in looking for relevant records. The evidence in “search” cases generally consists of the steps actually taken to search for records along with miscellaneous and other information about the record management practices of the FOI body, insofar as those practices relate to the records in question.

During the course of this review, the Investigating Officer invited the HSE to make submissions detailing the steps it took to identify and search for records held by its Occupational Health Department, and about is records management practices generally. In its submissions, the HSE stated that in relation to the data breach records sought by the applicant, all data breaches in the HSE are reported to the local Deputy Data Protection Officer (DDPO) or the HSE Data Protection Office (DPO). It stated that each breach is risk assessed in line with data protection legislation and the General Data Protection Regulation (GDPR). The HSE said that in this instance, the applicant raised a query with the HSE DPO which was forwarded to the DDPO in Dublin Mid Leinster for attention. It stated that it was determined that no breach had occurred and that this was communicated to the applicant on 13 December 2022 by the Deputy Data Protection Officer. The HSE said that email communication relating to the applicant’s data breach query would not form part of an individual occupational health file and as a result would not have been considered as part of the decision making on the applicant’s request. The HSE stated that no further records exist on the Occupational Health File in relation to the HR email of 2 December 2022, which the applicant queried in her request for an internal review.

The HSE said that each data breach is assessed on a case by case basis and the volume of records generated depends on the severity of the breach. The HSE stated that in this case, the applicant submitted an email to the HSE National Data Protection Office (DPO) referring to a breach of her data by the relevant Occupational Health Department. It stated that the applicant attached documents relating to the alleged data breach including email correspondence with the Occupational Health Department. The HSE stated that the DPO forwarded the correspondence to the local data protection office for follow up. It stated that the local office corresponded with the relevant Occupational Health Department regarding the alleged breach. The HSE said that the email correspondence was with a named Occupational Health Nurse who was working in the Occupational Health Department. It stated that the nurse and the doctor who dealt with the applicant are no longer involved in relevant Occupational Health Department, nor do they have any access to its notes. The HSE stated that the nurse, who also made the decision on the applicant’s FOI request, only reviewed the applicant’s occupational health file.

The HSE said that emails between DDPO/Consumer Affairs Office and the Occupational Health Nurse were located in the Consumer Affairs Office. However, the HSE stated that as the applicant’s request was solely for records held by the Occupational Health Department, and as the emails it identified are held by its Consumer Affairs Office, it is the HSE’s position that these records are outside the scope of applicant’s request. The HSE said it is open to the applicant to make a fresh FOI request for these records to the Consumer Affairs Office.

In subsequent communications with the HSE, the Investigating Officer sought clarification about the types of records held by the Occupational Health Department and the actual searches undertaken to locate records. In its submissions, the HSE stated that the Occupational Health Department confirmed that it does not hold any records of an alleged data breach as no breach occurred regarding data. The HSE stated that records regarding the determination that no breach had occurred, were of emails between the named Occupational Health staff member and the DDPO/consumer affairs office, which are not held in the Occupational Health Department as they were held electronically by the named individual. The HSE said that there are no other records on file within the Occupational Health Department pertaining to the applicant. The HSE stated that all records are held electronically, and these were searched in order to respond to the initial FOI request.

Following the HSE’s submissions to this Office, the Investigating Officer wrote to the applicant to provide her with an update on the submissions provided by the HSE. In her submissions the applicant stated that she is of the view that the named nurse is still working in the relevant Occupational Health Department, and as a result would be able to search for records relevant to the applicant’s request, which are held in that Department. The applicant also referred to an email from the applicant to the HR department on 14 September 2022, in which she referred to the occupational health report. The applicant stated that this correspondence was copied to the Occupational Health Department.

Following this correspondence from the applicant, the Investigating Officer sought further submissions from HSE regarding whether records of an email to the HR Department, which was copied to the Occupational Health Department exist, and to clarify what records are held electronically by the nurse relating to the applicant’s request. In reply, the HSE said it could confirm that the nurse no longer works in the relevant Occupational Health Department and does not have access to email records held on the Occupational Health Department’s system. It stated that that the nurse searched the occupational health file for the records requested. The HSE said that emails were not printed and were not on the Occupational Health file that was searched in response to the initial FOI request.

During the course of this review the applicant also identified email correspondence from 17 October 2022 sent from the Occupational Health general email account which had not been released to her. The Investigating Officer sought submissions from the HSE regarding searches undertaken on the Occupational Health Department general email account including any keyword searches undertaken, and searches of the named nurse’s email account for records relating to the applicant’s request. The HSE stated that the nurse processed the applicant’s personal occupational health file only. It said that the HSE IT Department confirmed that as the email system is a communication system, not a record storage system, no searches were undertaken on the email system for records within the scope of the applicant’s request. The HSE said that the on foot of the Investigating Officer’s query regarding the existence of records of the email correspondence from 17 October 20222, it had carried out a search on 19 March 2025 and no records were located. It stated that the nurse no longer has access to the generic email account. It also said the nurse searched her work email on 19 March 2025 and no records were located. In response to a query from the applicant about folders used to manage email correspondence, the HSE said that there is no requirement to create folders within email accounts. It stated that each user must manage their email account in line with the electronic communications policy. The HSE stated that the Occupational Health Department confirmed on 19 March 2025 that there are no folders on the generic email account. It said that the also nurse confirmed she did not create folders on her own work email account.

My analysis

It is important to note that the FOI Act does not require absolute certainty as to the existence or location of records, as situations can arise where records are lost or simply cannot be found. Furthermore, it is open to this Office to find that an FOI Body has satisfied the requirements of section 15(1)(a) even where records that an applicant believes ought to exist have not been located. We do not generally expect FOI bodies to carry out extensive or indefinite general searches for records simply because an applicant asserts that records should or might exist.

While I accept that the HSE carried out certain searches for records relevant to the applicant’s request, based on the submissions provided by the HSE, it seems to me that it has not undertaken all reasonable steps to locate all relevant records requested by the applicant in her request. No search details were provided regarding keyword searches carried out for electronic records held, or how emails are managed within the relevant Occupational Health Department. Additionally, the HSE said at various times during this review that only the applicant’s personal occupational health file was searched for records. It is unclear to me whether all relevant individual and generic email accounts have been adequately searched. I note, for example, the applicant identified email records from the Occupational Health generic email account which had not been released to her. While the HSE said that the Occupational Health Department carried out a search on 19 March 2025 it provided no details of the searches undertaken and said that the nurse no longer has access to the generic email account. Furthermore, the HSE has not provided details of any consultation with, or searches carried out by, the named doctor who dealt with the applicant’s case or any other staff members within the Occupational Health Department.

It seems to me from the HSE’s submissions in this case is that it focused its decision making on the applicant’s request around the applicant’s Occupational Health file rather than all records held by the Occupational Health Department relating to the applicant. I would expect the HSE to show that all relevant individuals were consulted and to provide details of the searches of their records and any generic emails accounts. In my view, the HSE has not done so. In the circumstances, I am not satisfied that the HSE has demonstrated it has undertaken all reasonable steps to locate the records sought by the applicant. Accordingly, I find that the HSE was not justified in refusing access to further relevant records, under section 15(1)(a) of the FOI Act, and I direct it to consider the applicant’s request afresh. The applicant will have a right to an internal review and a review by this Office if she is not satisfied with the HSE’s decision.

Finally, the Investigating Officer asked the HSE if it would release the records located by the HSE within its Consumer Affairs Office relating to its investigation of the applicant’s data breach complaint about the Occupational Health Department, but it was unwilling to do so. Instead, it suggested the applicant can make a new request for those records. While the copy of the records located are held by the Consumer Affairs Office, they are clearly records with a member of the Occupational Health Department about the alleged breach which were held by Occupational Health at the time of the correspondence. While the HSE said that no copy of these emails could be located in the Occupational Health Department, it has in my view taken a very rigid interpretation around access to these records. In the circumstances and given my decision in regard to the inadequacy of the searches undertaken by the HSE, I am satisfied that the records are a copy of the records that are, or were, held by the Occupational Health Department and I direct the HSE to release a copy of these records to the applicant.

Decision

Having carried out a review under section 22(2) of the FOI Act, I hereby annul the HSE’s decision to refuse the applicant’s request under section 15(1)(a) of the FOI Act and I direct it to consider the request afresh. I also direct the HSE to release a copy of the communications between the DPO and the Occupational Health Department concerning the applicant’s data breach complaint.

Right of Appeal

Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by a party to a review, or any other person affected by the decision. In summary, such an appeal, normally on a point of law, must be initiated not later than four weeks after notice of the decision was given to the person bringing the appeal.

Richard Crowley

Investigator