Internal investigations into serious incidents (“SI”) within a healthcare setting are now a routine part NHS governance. While the NPSA tried to implement some consistency by introducing the National Framework, the approach taken by NHS organisations remains as varied as the conclusions reached.

Whilesome Trusts like to take a “quick and dirty” approach, getting everyone into the room as soon as possible, others treat it as a more formal, even forensic, exercise. There is no absolutely right or wrong approach. At Mills & Reeve we have been providing advice and training to NHS staff carrying out investigations for many years. One issue that keeps coming up for discussion is the question of disclosing of reports, statements, notes of meetings and other evidence to third parties.

There is no right or wrong legal answer to every circumstance; but there are definitely some issues, both legal and policy to consider. It is well worth an organisation making it clear within its own policies and procedures what it expects to happen once an investigation is complete.

The legal basis of an investigation

Let’s just stop and think: why are we doing this? Yes, it is now best practice, but it has not always been. Well, Department of Health policy and in particular the 2000 publication of “Organisation with a Memory” is often seen as the foundation of the approach. This set the NHS on a path towards learning from its mistakes. This has led to many improvements in care over the years as Trusts begin to understand why failures occur and improve, though I personally feel that the NHS has relied too heavily on picking up the pieces of “plane crashes”, rather than using the sort of proactive risk management methodology that underpins health and safety in industries other than healthcare.

There are also obligations under Health and Safety legislation for a duty holder to reassess the risks posed to the health and safety of staff, visitors and patients when they have reason to believe that the current control measures are no longer valid. If a patient has been harmed in an incident, this does rather suggest that the existing procedures need reviewing.

The investigation

One thing, above all, needs to be clear at the outset. What is the purpose of the investigation? By and large it is to identify whether improvements can be made to the service for the future. It is, necessarily, not a disciplinary investigation; it is not a criminal investigation; it is not a coronial investigation. They all have their place but should be undertaken separately for their own purposes.

The Data Protection Act requires that you process all personal data fairly and lawfully. The information provided by a member of staff regarding their involvement in an incident is likely to be “personal data”. It is also possible that, in particularly difficult cases, information provided by a witness could constitute a protected disclosure under whistleblowing legislation.

Whatever process is followed, it is therefore important to ensure that staff involved are fairly and accurately told what is happening and what will happen to the information that they provide at the outset. Is it confidential? Who will you share it with? How will it be stored?

It is common sense that individuals will be more forthcoming, and the value of the investigation itself will be greater, if they believe that the information they provide will be treated in confidence.


If you have considered the question of disclosure at the outset, you will be far better placed to decide how to proceed should you be asked to share it externally. However, unless you have told staff that you will be sharing the information that they provide with a particular organisation or official body, you may need to consult them before you make a decision.

The Data Protection Act requirement of fair processing means seeking the views of the individuals whose personal information you are sharing. This does not mean getting their consent, but letting them know of the request and listening to any views they have. Of course, if they do consent, matters are made considerably easier.

It may be possible to remove names from the report, but that often fails to really anonymise the report itself given other knowledge already held by the recipient (or anyone with access to Google for that matter).

The next step is to consider whether it is lawful to disclose any of the information provided. No Trust is (hopefully!) going to publish all their reports and supporting statements on their website but at the same time they may be sharing the report itself fairly widely, with the patient, the family and/or other healthcare organisations. Whether that will be lawful will require different analysis, depending upon the recipient and the basis upon which it is being shared. I will consider the principle scenarios below.

Data Protection Act 1998 (“DPA”)

The first step is to consider whether the report contains personal data. This is widely defined by the DPA and means that any detailed report is likely to consist of personal data of more than one person – the patient and the staff involved. In that case, a living patient will be able to make a subject access request under the DPA.

The problem comes when the data constitutes personal data of more than one individual. Under section 7(4) of the DPA a data controller is not obliged to comply with the request unless either:

  1. The other individual has consented to the disclosure of the information to the person making the request, or
  2. It is reasonable in all the circumstances to comply with the request without the consent of the other individual

Reasonable in all the circumstances will mean considering a number of relevant issues such as those specified under the Act (the extent of the duty of confidentiality owed to the other individual and the views of that individual) as well as the nature of the information itself; how sensitive it is to the third party; and the damage that release will cause.

It is also likely that different considerations and conclusions will apply to the overview report itself and to any notes/statements/transcripts of the information provided by those participating in the investigation.

It may not be possible to redact a SI report in such as way as to anonymise it so as to avoid disclosing third party information. However, it may be easier to hide the identity of the patient than the staff.

Freedom of Information Act 2000 (“FOIA”)

There are likely to be a number of exemptions that apply to an application made under the FOIA.. The Information Tribunal confirmed that an NHS Trust appropriately refused to disclose staff statements obtained during an internal investigation, even where it had already disclosed the report itself. The Tribunal ruled that the statements were exempt under both Section 31 (information provided in respect of law enforcement) and Section 36 (information likely to be prejudicial to the effective conduct of public affairs).

In its reasoning, the tribunal accepted that the disclosure of statements from staff created a real and significant risk of prejudice to the Trust’s ability to exercise relevant functions. Basically, if staff knew that their comments would be disclosed widely, they would be less likely to be forthcoming and the whole value of the investigation process would be diminished.

As it had decided that two absolute exemptions applied, the tribunal did not go on to consider other exemptions, despite the fact that the original decision of the Information Commissioner was that the statements were exempt under Section 40 (personal information). The Trust had also relied upon Section 41 (information provided in confidence) which another Information Tribunal found to apply to information provided to a PCT by social workers – see Martyres v Information Commissioner & NHS Cambridgeshire (EA/2011/0209)

These latter two exemptions are qualified, meaning that the data controller must balance the public interest of maintaining confidential information against the use that such information would be put.

Requests from the coroner

It can be particularly difficult to objectively consider requests for disclosure made by a coroner in cases where a patient has died. The coroner is likely to have a legitimate interest in the internal investigation as he has his own investigation to conduct. He or she can be informed by that investigation and make a number of decisions about the evidence they need to hear. However, conclusions reached by an internal investigator should rarely form part of the evidence called at the hearing – the court should still hear directly from those involved and make up its own mind. Recommendations made are more relevant in respect of rule 43 duties to report matters where there is a risk of recurrence.

While falling outside of the statutory regimes above, many of the same considerations are relevant. Is the public good better served by maintaining any confidence that exists in the information obtained during an internal investigation as opposed to the value that it adds to an inquest? One relevant consideration must be that the coroner has the power to call the individual participants themselves and hear their evidence on oath. This may be considered inherently more reliable than what they may say, in confidence, as part of an internal investigation where they are also mindful of their own employment prospects. While it may be convenient for a coroner to consider such reports, the case where it is essential must be rare.

Ultimately, the coroner may seek recourse to the County Court to get an order for disclosure of documents that are not being voluntarily shared with him or her. Under CPR 34.4 the court may issue a witness summons in aid of an inferior court that does not have its own authority to require its production. The basic principles upon which the court would consider making an order were set out in the case of South Tyneside Borough Council v Wickes Building Supplies [2004] EWHC 2428, which can be summarised as:

  1. The object is to obtain specified documents, and a summons should not be used to obtain disclosure; nor should it be of a “fishing” or speculative nature
  2. The production of the documents must be necessary for the fair disposal of the “matter” or to save costs
  3. The fact that documents are relevant is not to be decisive
  4. The fact that the specified documents may contain confidential information is not an absolute bar to production (although it is plainly a factor which must be taken into account)

For this to assist the coroner therefore, he or she must be able to point to a specific document, the disclosure of which is necessary. While this is not necessarily the highest threshold, the coroner will be required to have a cogent argument to explain why such documents are necessary.

Arguably, the practice of calling the authors of internal investigations at inquests has already begun to diminish the real value of the reports themselves, as the gravitational pull of the likely summons from the coroner begins to distort the language used and conclusions reached.

The same considerations need to be given to the supporting evidence obtained by the author during their investigation. Whether these are notes made by the interviewer; transcripts of the discussion; or signed statements, there may well be cases where it would not be appropriate to disclose these records, even where the report has been shared. There is a real prospect of individuals being cross-examined in the witness box on words that were written by someone else without the same attention to detail that would be employed when preparing a witness statement for use in court proceedings.

Furthermore, care should be taken to ensure that the internal investigation is not usurping the role of the inquest. The inquest has a very different underlying purpose and the coroner must not take short cuts on the basis of the conclusions reached by others. If you do share the report, you should take care to ensure that the investigator is not being used to give factual evidence on behalf of others.


The police have more limited powers to obtain documentation than you may at first think. It is clear that the police have no powers to obtain sensitive personal data such as medical records until criminal proceedings are underway against a particular defendant, when a court may make a production order. Internal investigation reports and statements are also likely to contain sensitive personal data and you would be wise to seek specialist advice.

HSE, CQC and other regulators

Regulators are creatures of statute and their powers will be laid down in the legislation that establishes their reach. It is often the case that these powers extend beyond the bodies referred to above and should be considered on a case by case basis.


Investigating serious incidents in a healthcare setting provides much value and no doubt leads to real improvements in care and proves patients with a safer environment. However, the wider legal and regulatory arena within which healthcare operates can complicate what is primarily an internal learning process.

You need to ensure that you consider the question of disclosure at the outset of an investigation and deal with any requests in accordance with the Data Protection Act. There are no absolute answers and care must be taken to ensure that you are fair to both patients and staff and not beaching any confidences.

Third parties, such as coroner’s, should consider the value that internal investigations provide their own inquiry and consider whether there is any risk of reducing the value of internal, open learning, by making trusts carry them out under external scrutiny.