The Information Commissioner (ICO) has upheld a decision by an NHS trust not to release five critical incident reports concerning five separate murders carried out by patients of the trust.

In February, the ICO stated that, as the reports contained personal data, their release under the FOIA would breach the Data Protection Act 1998.

The NHS trust argued that the information was exempt under the following sections of the FOIA: 

  • section 40(2) and 40(3)(a) as the reports contained personal data of which the requester was not the data subject; 
  • section 41 as the information was provided in confidence; and 
  • section 36(2)(c) as to provide the information would prejudice the conduct of public affairs.

The commissioner began by considering the exemptions in section 40(2) and 40(3)(a)and determined that the reports did indeed contain personal data of other data subjects, as defined by section 1(1) of the Data Protection Act 1998.

The commissioner found that much of the information in the reports was obtained through confidential consultations with healthcare professionals. In addition, he decided that it was unlikely that anyone who had contributed to the reports, produced as a result of internal inquiries, would have expected the information to be made public.

The commissioner ruled, on the facts of the case, that even a redacted report would contain enough information for some people to be able to determine the identity of the patients involved in the incidents and those who had contributed to the reports.

For these reasons, the commissioner held that the disclosure would contravene the first data protection principle as it would be unfair and therefore the information was exempt under section 40. Because section 40 is an absolute exemption, there was no need to consider the public interest test. Nor was it necessary to consider the other exemptions argued by the NHS trust.