Case number: OIC-146457-Z0R8M7

Whether the Defence Forces was justified in refusing access to parts of a record concerning the unauthorised accessing of medical files

 

3 April 2024

 

Background

The applicant’s FOI request of 21 April 2023 requested access to correspondence between six named personnel, regarding the alleged unauthorised accessing of medical files, from 1 January 2022 to 31 March 2023.

The Defence Forces’ decision of 18 August 2023 covered three records, which it withheld under sections 32(1)(a)(i) (investigation of offences) and 32(1)(a)(ii) (enforcement of any law) of the FOI Act. The applicant sought an internal review on 18 August 2023 and, on 19 September 2023, the Defence Forces affirmed its refusal of the request.

On 19 September 2023, the applicant applied to this Office for a review of the Defence Forces’ decision. My decision in Case No. OIC-142473-T2Q3J3 considered certain of the records the subject of the Defence Forces’ decisions. The present review is concerned with the remainder of those records i.e. pages 17-28 of record 1.

During the review, the Defence Forces released pages 17, 19, 21 and 22. I have now completed my review in accordance with section 22(2) of the FOI Act and I have decided to conclude it by way of a formal, binding decision. In carrying out my review, I have had regard to the above exchanges, to correspondence between this Office, the Defence Forces and the applicant, to withheld details, and to the provisions of the FOI Act.

Scope of the Review

As noted above, the Defence Forces has released pages 17, 19, 21 and 22. I will exclude these pages from my review, along with the blank pages 18, 20, 26 and 28. Accordingly, my review is confined to whether the Defence Forces’ refusal of pages 23-25 and 27 of record 1 was justified under the provisions of the FOI Act.

Preliminary Matters

Section 13(4) of the FOI Act provides that, subject to the Act, in deciding whether to grant or refuse an FOI request, any reason that the requester gives for the request and any belief or opinion of the FOI body as to the reasons for the request shall be disregarded.

Section 25(3) of the Act requires me to take all reasonable precautions in the performance of my functions to prevent the disclosure of information contained in an exempt record or that would cause the record to be exempt if it contained that information.

Release of records under FOI is generally understood to have the same effect as publishing them to the world at large, given that the Act places no constraints on the uses to which the information contained in those records may be put.

Finally, in The Minister for Communications, Energy and Natural Resources and the Information Commissioner & Ors [2020] IESC 5 (the eNet judgment), the Supreme Court said that "it is the FOI body that must explain and justify a conclusion that the records are exempt by reference to the relevant provisions of the Act, and equally, it is the FOI body that must explain why the public interest does not justify release in the public interest." I also note that, in the Supreme Court case of Sheedy v the Information Commissioner [2005] IESC 35 Kearns, J. made it clear that a general prediction without any supporting evidence is not sufficient to satisfy the requirement that access to the record could reasonably be expected to result in the outcome envisaged. He stated that "[a] mere assertion of an expectation of [prejudice] could never constitute sufficient evidence in this regard".

However, while FOI bodies must justify their decisions, the eNet judgment in particular also says that a failure by an FOI body to do so does not lead to an inevitable or statutorily mandated outcome. Rather, this Office must adjudicate the merits of the decision to refuse by reason of an analysis of the records and the interests engaged, which might suggest either disclosure or refusal.

Analysis and Findings

The withheld details

Bearing in mind the requirements of section 25(3), I can say that pages 23-25 and 27 are comprised of lists of military and civilian personnel with access to a medical records system. As the applicant knows, I intend to consider these details under section 37 of the FOI Act (personal information).

Section 37 – personal information

Section 37(1)

Section 37(1) of the FOI Act provides that, subject to the other provisions of the section, an FOI body shall refuse a request if access to the record concerned would involve the disclosure of personal information (including personal information relating to a deceased individual).

Section 2 of the FOI Act defines the term “personal information” as information about an identifiable individual that would, in the ordinary course of events, be known only to the individual or his/her family or friends, or information about the individual that is held by a public body on the understanding that it would be treated as confidential. Section 2 also provides that, without prejudice to the generality of the above definition, personal information includes 14 specific categories of information, such as (iii) information relating to the employment or employment history of the individual and (vi) information relating to any criminal history of, or the commission or alleged commission of any offence by, the individual.

However, section 2 also excludes certain information, including names, from what may be considered as personal information where public servants and contractors are concerned. Generally speaking, the exclusion is intended to ensure that section 37 will not be used to exempt the identity of a public servant or contractor in the context of the particular position held, or any records created by the staff member or contractor while carrying out his or her official functions. The exclusion does not deprive staff members or contractors of the right to privacy generally.

Analysis

It is now the Defence Forces’ position that section 37(1) applies to the details at issue. The applicant does not appear to dispute that the details comprise personal information. He says, however, that all he knows about the Defence Forces’ investigation is that it began about a year after the alleged breach was initially identified, and only after he and another individual had complained to another review body.

As noted, pages 23-25 and 27 identify all military and civilian personnel with access to a medical records system. However, I must also take account of the fact that record 1 was created in the context of the alleged unauthorised accessing of medical files. In the circumstances, it seems to me that pages 23-25 and 27 identify all personnel who may be responsible for the alleged unauthorised accessing. I am satisfied that the relevant details comprise information falling within examples (iii) and/or (vi) above, and also that they are not covered by the exceptions in section 2 of the FOI Act, such that the details comprise personal information relating to the named parties. I find that section 37(1) applies to pages 23-25 and 27.

Noting the applicant’s position that his medical records were accessed without authorisation, it could be argued that the details also comprise personal information relating to him. However, if this is the case, I am satisfied that the applicant’s personal information would be inextricably linked to that of the identifiable third parties (joint personal information). Therefore, section 37(7) would be relevant. Section 37(7) provides that, notwithstanding section 37(2)(a) (see below), access to a record shall be refused where access to it would, in addition to involving the disclosure of personal information relating to the requester, also involve the disclosure of personal information relating to an individual or individuals other than the requester. 

I will now consider sections 37(2) and (5) of the FOI Act.

Section 37(2) - exceptions to section 37(1)

Section 37(2) of the FOI Act sets out certain circumstances in which 37(1) does not apply. In particular, section 37(2)(a) provides for the grant of access to personal information relating to the requester. As explained above, it could be argued that the details comprise the joint personal information of the applicant and the identifiable third parties. However, I am satisfied that if this is the case, section 37(2)(a) would not apply in light of the provisions of section 37(7). I am satisfied that the remaining circumstances set out in section 37(2) do not arise.

Section 37(5)

Section 37(5) provides that a request that would fall to be refused under section 37(1) may still be granted where, on balance (a) the public interest that the request should be granted outweighs the right to privacy of the individual to whom the information relates, or (b) the grant of the request would benefit the person to whom the information relates. I have no reason to consider that section 37(5)(b) applies.

Before I consider the applicability of section 37(5)(a), there are a number of important points to note. First, section 13(4) provides that, subject to the Act, in deciding whether to grant or refuse an FOI request, any reason that the requester gives for the request and any belief or opinion of the FOI body as to the reasons for the request shall be disregarded. In relation to the question of the public interest, this means that I cannot have regard to an applicant's motives for seeking access to the records at issue, except in so far as those motives reflect, or overlap with, what might be regarded as true public interest factors in favour of release of the records, i.e. insofar as the concerns raised in relation to the request may also be matters of general concern to the wider public.

Secondly, it is important to note that the release of records under the FOI Act must be regarded, in effect, as release to the world at large, given that the Act places no constraints on the uses to which a record released under the Act can be put. With certain limited exceptions provided for under the Act, which are not relevant here, FOI is not about granting access to information to particular individuals only. Furthermore, as noted above, a requester's reasons for making a request are generally not of relevance. Thus, records are not released under FOI for any limited or restricted purpose.

All of this means that, in considering whether a right of access exists to records under section 37(5)(a) of the Act, any decision to grant access would be on the basis that there is an overriding public interest in the release of the records effectively to the world at large that outweighs the privacy rights of the third party individuals concerned.

In considering where the balance of the public interest lies in this case, I have had regard to section 11(3) of the Act which provides that in performing any functions under the Act, an FOI body must have regard to, among other things, the need to achieve greater openness in the activities of FOI bodies and to promote adherence by them to the principles of transparency in government and public affairs and the need to strengthen the accountability and improve the quality of decision making of FOI bodies. However, in doing so, I have again had regard to the eNet judgment. In relevant part, the Supreme Court found that a general principle of openness does not suffice to direct release of records in the public interest and “there must be a sufficiently specific, cogent and fact-based reason to tip the balance in favour of disclosure”. Although the Court’s comments were made in cases involving confidentiality and commercial sensitivity, I consider them to be relevant to the consideration of public interest tests generally.

My decision in Case No. 142473 had regard to the applicant’s views that there are public interests in knowing about the management of publicly-funded systems for storing confidential medical data, and in knowing how, and when, issues are investigated when they arise. As noted earlier in this decision, he also says that he is not aware of the current status of the Defence Forces’ investigation and that it began about a year after the alleged breach was initially identified, after complaints had been made to another review body.

In my view, disclosing the relevant details would provide a small amount of insight into how the Defence Forces stores, and manages the security of, medical data. Disclosure would also provide a very limited insight into the Defence Forces’ investigation, by revealing those identified as potentially responsible for the alleged breach.

On the other hand, the FOI Act recognises the public interest in the protection of the right to privacy both in the language of section 37 and the Long Title to the Act (which makes clear that the release of records under FOI must be consistent with the right to privacy). It is also worth noting that the right to privacy has a constitutional dimension, as one of the un-enumerated personal rights under the Constitution. Privacy rights will therefore be set aside only where the public interest served by granting the request (and breaching those rights) is sufficiently strong to outweigh the public interest in protecting privacy. Moreover, even where an overriding public interest in granting the request exists, there is a discretionary element to the application of section 37(5)(a).

In considering the weight of this public interest, it is relevant that disclosure of the details must be regarded as being effectively, or at least potentially, to the world at large. Regardless of the current stage of the Defence Forces’ investigation, I am satisfied that disclosing to the world at large that a person had been identified as potentially responsible for an alleged data breach would result in a significant breach of that person’s right to privacy.

Having given the matter careful consideration, I do not accept that the public interest in releasing the details outweighs, on balance, the privacy rights of the various third parties. I find, therefore, that section 37(5)(a) does not apply.

Decision

Having carried out a review under section 22(2) of the FOI Act, I hereby affirm the Defence Forces’ refusal of access to pages 23-25 and 27 of record 1, on the basis that they are exempt under section 37(1) of the FOI Act.

Right of Appeal

Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by a party to a review, or any other person affected by the decision. In summary, such an appeal, normally on a point of law, must be initiated not later than four weeks after notice of the decision was given to the person bringing the appeal.

 

Anne Lyons
Investigator