Cinneadh
Mr. K & The Health Service Executive (the HSE)
Ó Oifig an Choimisinéara Faisnéise
Cásuimhir: OIC-150928-H4P8J5
Foilsithe
Teanga: Níl leagan Gaeilge den mhír seo ar fáil.
Ó Oifig an Choimisinéara Faisnéise
Cásuimhir: OIC-150928-H4P8J5
Foilsithe
Teanga: Níl leagan Gaeilge den mhír seo ar fáil.
Whether the HSE was justified in refusing access to various records relating to a data breach reported by the applicant on the basis of sections 29(1)(a), 30(1)(a) and 37(1) of the FOI Act
13 August 2025
By way of background, the applicant made a data breach complaint to the HSE, wherein he listed a number of HSE staff. He subsequently made a formal complaint to the Data Protection Commission (the DPC) about the same matter. He has subsequently made a number of FOI requests to the HSE seeking access to records relating to the reported breach.
In a request dated 29 May 2024, the applicant sought access to records which had been found to be outside the scope of his request in a previous case (OIC Case No. OIC-135868-N2C9G refers), as well as records relating to his data breach complaint. The applicant’s request was dealt with by two separate sections of the HSE: Safeguarding and Patient Safety (SPS), which dealt with the first part of the request and part of the second, and Consumer Affairs (CA), which solely dealt with the second part.
For ease of reference, I will use the HSE’s page numbering system as set out in the records and schedules provided to the applicant.
In a decision dated 26 June 2024, CA provided two record schedules relating to 99 pages in total. It released some pages in full and refused access to the remaining pages on the basis of sections 29(1)(a) and 30(1)(a) of the FOI Act. I understand that SPS drafted a decision dated 29 June 2024, relating to the applicant’s request. However, due to a technical issue, the applicant did not receive a copy of this decision.
The applicant made an internal review request on 1 July 2024. SPS affirmed its original, unissued, decision on 22 July 2024, which had identified 146 relevant pages. It released some pages in full and refused the remainder, including correspondence with the DPC, under sections 29(1)(a) and 30(1)(a) of the FOI Act. On the same date, CA affirmed its original decision.
On 14 August 2024, the applicant applied to this Office for a review of the HSE’s decisions on his request.
During the course of the review, I notified the applicant that I considered section 37 of the FOI Act to be of relevance and invited him to comment. He made verbal submissions in response, which will be considered below. I also notified the DPC of this review and invited it to comment on the relevant records comprising correspondence between its office and the HSE. In its response, it indicated that it had no objection to the release of the particular records in this case.
I have now completed my review in accordance with section 22(2) of the FOI Act. In carrying out my review, I have had regard to the applicant’s comments in his correspondence with this Office, to the submissions made by the HSE in support of its decision and to the DPC’s response to my notification. I have also had regard to the contents of the records concerned. I have decided to conclude this review by way of a formal, binding decision.
The scope of this review is solely concerned with whether the HSE was justified in refusing access to the records at issue under sections 29(1)(a), 30(1)(a) and 37(1) of the FOI Act.
Before I address the substantive issues arising, I would like to make a number of preliminary comments.
First, I note that during the review, the applicant stated that the matters concerning the reported data breach had caused him great distress and that he had been attempting to clarify how a HSE staff member had accessed his personal data since the matter occurred. However, as has been explained to the applicant in relation to previous cases, this Office has no remit to investigate complaints, to adjudicate on how FOI bodies perform their functions generally, or to act as an alternative dispute resolution mechanism with respect to actions taken by FOI bodies.
Secondly, section 13(4) of the FOI Act provides that, subject to the Act, in deciding whether to grant or refuse an FOI request, any reason that the requester gives for the request and any belief or opinion of the FOI body as to the reasons for the request shall be disregarded. Thus, while certain provisions of the Act implicitly render the motive of the requester relevant, as a rule, the actual or perceived reasons for a request must be disregarded in deciding whether to grant or refuse an access request under the FOI Act.
The records at issue
The records in question comprise internal HSE email threads about the processing of the data breach complaint, some of which contain details of the applicant’s complaint; correspondence with the DPC in relation to the complaint, and copies of the formal HSE data breach report.
Section 37 – third party personal information
Section 37(1) of the FOI Act provides that, subject to the other provisions of the section, an FOI body shall refuse a request if access to the record concerned would involve the disclosure of personal information. This does not apply where the information involved relates to the requester (section 37(2)(a) refers). However, section 37(7) provides that, notwithstanding section 37(2)(a), an FOI body shall refuse to grant a request if access to the record concerned would, in addition to involving the disclosure of personal information relating to the requester, also involve the disclosure of personal information relating to an individual or individuals other than the requester. This is commonly known as joint personal information.
Section 2 of the FOI Act defines personal information as information about an identifiable individual that either, (a) would, in the ordinary course of events, be known only to the individual or members of the family, or friends, of the individual, or (b) is held by the FOI body on the understanding that it would be treated by that body as confidential. Section 2 goes on to specify 14 categories of information which, without prejudice to the generality of the above definition, constitute personal information. This includes (i) information relating to the educational, medical, psychiatric or psychological history of the individual, (iii) information relating to the employment or employment history of the individual, (ix) a number, letter, symbol, word, mark or other thing assigned to the individual by an FOI body for the purpose of identification or any mark or other thing used for that purpose and (xiv) the views or opinions of another person about the individual,
However, the definition at section 2 provides that personal information does not include:
“(I) in a case where the individual holds or held—
(A) office as a director of,
(B) a position as a member of the staff of, or
(C) any other office, or any other position, remunerated from public funds in,
an FOI body, the name of the individual or information relating to the office or position or its functions or the terms upon and subject to which the individual holds or held that office or occupies or occupied that position or anything written or recorded in any form by the individual in the course of and for the purpose of the performance of the functions aforesaid”.
As noted above, the definition of personal information excludes the name of a member of staff of an FOI body or anything written or recorded in any form by the individual in the course of and for the purpose of the performance of his or her functions. However, the exclusion at paragraph (I) does not exclude all information relating to staff members. This exclusion is intended, essentially, to ensure that section 37 cannot be used to exempt the identity of a public servant in the context of the particular position held or any records created by the staff member while carrying out his or her official functions, or information relating to the terms, conditions or functions of positions. The exclusion does not deprive public servants of the right to privacy generally.
As also noted above, the HSE did not rely on section 37 in relation to the records sought.
In his submissions to this Office, the applicant indicated that, in his view, the names of and references to HSE staff members should not comprise their personal information under the FOI Act, even where the names are mentioned in the context of a complaint about the staff member(s) in question. He also argued that some of the records already released by the HSE in response to his requests and/or on foot of a decision by this Office contain the names and/or other details of staff members and other third parties. His view was that this had essentially put this information in the public domain.
I have carefully examined the records in question. I am satisfied that a large number of the records identified by the HSE solely relate to administrative matters concerning the processes involved in responding to a data breach complaint raised with the HSE and/or with the DPC. However, I am also satisfied that some of the records refer to the background of the reported breach and contain references to identifiable individuals other than the applicant, including, but not limited to, the eight staff members listed in his complaint. These records include the applicant’s data breach complaint, the HSE’s data breach report and additional information, a letter from the DPC seeking specific information from the HSE and the HSE’s detailed response.
While section 25(3) precludes me from revealing the content of an exempt record, I am satisfied that the data breach reports and the references to the staff member(s) in this context and/or the third party all emanate from the same matter. I am also satisfied that the release of any of the information contained in the records concerning the breach, its origins or the reasons behind the HSE’s actions would entail the release of sensitive personal information relating to an identifiable third party or parties other than the applicant. I am further satisfied that certain information relating to the reported breach and the subsequent complaint comprises joint personal information of the third parties intertwined with that of the applicant.
I would add, for the avoidance of doubt, that the fact that an applicant may be aware of the content of the records or may have been involved in matters detailed therein does not serve to disapply section 37(1). The release of a record under FOI effectively amounts to disclosure to the world at large, as the FOI Act places no restrictions on the type or extent of the subsequent use to which a record may be put. While the applicant may have made the initial complaint and be aware of the details of the reported breach, the question before me is whether release of the HSE’s data breach report and associated records in full would involve the release of third party personal information. I am satisfied that it would.
Accordingly, in the circumstances of this case, I find that section 37(1) applies to all of the references to the circumstances leading to the reported data breach and the steps taken by any of the third parties contained in the following records:
• SPS records: pages 10-11, 19-20, 23, 25-26, 35-36, 39-40, 80-83, Questions 1-5 in pages 106-109, 117, 118, 1231, 123, 124, 126, answers 1-5 in pages 130-132 and answers 1-5 and 9 in pages 135-137
• CA records: File 1, pages 8, 11, 22-23, 25, 28-29, 55-56 and File 2, Questions 1-5 page 17 and answers 1-5 and 9 on pages 25-27
However, that is not the end of the matter as section 37(1) is subject to the provisions of sections (2) and (5). Section 37(2) sets out certain circumstances in which the exemption at section 37(1) does not apply. I am satisfied that none of the circumstances in section 37(2) applies in this case. Section 37(5) provides that a request that would fall to be refused under section 37(1) may still be granted where, on balance, (a) the public interest that the request should be granted outweighs the right to privacy of the individual to whom the information relates, or (b) the grant of the information would be to the benefit of the person to whom the information relates. I am satisfied that the relevant individual would not benefit from the release of the information at issue and I find that section 37(5)(b) does not apply.
Before I consider the applicability of section 37(5)(a), there are a number of important points to make. Firstly, section 13(4) provides that, subject to the Act, in deciding whether to grant or refuse an FOI request, any reason that the requester gives for the request and any belief or opinion of the FOI body as to the reasons for the request shall be disregarded. In relation to the question of the public interest, this means that I cannot have regard to the applicant’s motives for seeking access to the records at issue, except in so far as those motives reflect, or overlap with, what might be regarded as true public interest factors in favour of the release of the records, i.e. insofar as the concerns raised in relation to the request may also be matters of general concern to the wider public.
Secondly, it is important to again note that the release of records under the FOI Act must be regarded, in effect, as release to the world at large. With certain limited exceptions provided for under the Act, which are not relevant here, FOI is not about granting access to information to particular individuals only. Furthermore, as noted above, a requester's reasons for making a request are generally not of relevance. Thus, records are not released under FOI for any limited or restricted purpose.
All of this means that, in considering whether a right of access exists to records under section 37(5)(a), any decision to grant access would be on the basis that there is an overriding public interest in the release of the records effectively to the world at large that outweighs the privacy rights of the third party individual concerned.
In considering where the balance of the public interest lies in this case, I have had regard to section 11(3) of the Act which provides that, in performing any functions under the Act, an FOI body must have regard to, among other things, the need to achieve greater openness in the activities of FOI bodies and to promote adherence by them to the principles of transparency in government and public affairs and the need to strengthen the accountability and improve the quality of decision making of FOI bodies. However, in doing so, I have also had regard to the comments of the Supreme Court in The Minister for Communications, Energy and Natural Resources and the Information Commissioner & Ors [2020] IESC 57 (“the eNet judgment”). In the relevant part, the Supreme Court found that a general principle of openness does not suffice to direct release of records in the public interest and “there must be a sufficiently specific, cogent and fact-based reason to tip the balance in favour of disclosure”. Although the Court’s comments were made in cases involving confidentiality and commercial sensitivity, I consider them to be relevant to the consideration of public interest tests generally.
The HSE made no public interest arguments in relation to section 37, although in its submissions to this Office, it stated that there was a public interest in preserving the “confidentiality in relation to personal matters of third parties that may be discussed in the records”. This might be construed as an argument that the public interest did not favour the release of the information concerned, although the HSE did not address this further.
As noted above, the applicant stated that the matters at hand had caused him great distress and that he had been attempting to clarify how a HSE staff member had accessed his personal data since the data breach first occurred. He also indicated that there was a significant public interest in openness and transparency about how the HSE carries out its functions in relation to data protection and how it manages the processes involved. He further argued that it was important to hold the HSE to account for its actions in these matters.
While the applicant’s arguments generally relate to his own interactions with the HSE and could be taken as a private interest, I accept that there is a public interest in knowing how the HSE manages these matters and in how it carries out its functions under the Data Protection Act 2018.
On the other hand, the FOI Act recognises the public interest in the protection of the right to privacy both in the language of section 37 and the Long Title to the Act (which makes clear that the release of records under FOI must be consistent with the right to privacy). It is also worth noting that the right to privacy has a constitutional dimension, as one of the unenumerated personal rights under the Constitution. Moreover, unlike other public interest tests provided for in the FOI Act, there is a discretionary element to section 37(5)(a), which is a further indication of the very strong public interest in the right to privacy. Privacy rights will therefore be set aside only where the public interest served by granting the request (and breaching those rights) is sufficiently strong to outweigh the public interest in protecting privacy.
As noted above, the records at issue contain references to named or identifiable individuals who had been listed in the applicant’s data breach complaint, as well as references to another third party who is not employed by the HSE.
As also noted above, I accept that there is a public interest in ensuring that the HSE is adequately carrying out its functions under Data Protection legislation. Having said that, it seems to me that while the release of the personal information identified above would shed some light on the HSE’s role in these matters, it would also reveal that the individual(s) had been named in a complaint to their employer, as well as in a complaint to the DPC. In relation to the other third party, I am satisfied that the release of the records would reveal information relating to their interactions with the HSE. These matters seem to me to be of an inherently private and sensitive nature and I must regard their release as being effectively, or at least potentially, to the world at large.
Furthermore, while I have noted the applicant’s arguments concerning the information already released in this and other related cases by the HSE, this Office takes the view that the fact that a requester may be aware of the nature of the information or may have even provided some or all of the information to the body in question does not mean that it cannot be regarded as personal information relating to a third party for the purposes of the FOI Act. Similarly, the Commissioner also takes the view that it is not appropriate for this Office to direct the release of exempt information simply because an FOI body has previously released similar or the same information under FOI.
Having considered the matter, and bearing in mind the strong public interest in protecting the right to privacy, I do not accept that the public interest in releasing this information outweighs, on balance, the privacy rights of the relevant third parties. In particular, I am not satisfied that any sufficiently specific, cogent and fact-based reason to tip the balance in favour of disclosure of the information at issue exists in this case. I find, therefore, that section 37(5)(a) does not apply to this information.
Accordingly, I find that section 37(1) applies to the personal information relating to HSE staff members named in the original complaint and to an identifiable third party, and/or the joint personal information of any of these individuals intertwined with that of the applicant contained in the following records:
• SPS records : pages 10-11, 19-20, 23, 25-26, 35-36, 39-40, 80-83, Questions 1-5 in pages 106-109, 117, 118, 1231, 123, 124, 126, answers 1-5 in pages 130-132 and answers 1-5 and 9 in pages 135-137
• CA records : File 1, pages 8, 11, 22-23, 25, 28-29, 55-56 and File 2, Questions 1-5 page 17 and answers 1-5 and 9 on pages 25-27
In the interest of clarity, however, I should state that I am satisfied that the names and references to other staff members of the HSE who are listed in the records do not constitute personal information by virtue of the exclusion to the definition at section 2 of the FOI Act. Such individuals hold a position as a member of staff of an FOI body and their names or information relating to their position or anything written or recorded by the individual in the course of and for the purpose of the performance of their functions is excluded from the definition of personal information. Accordingly, I am satisfied that section 37(1) does not apply to exempt such information.
Section 29 provides for the refusal of a request if (a) the record concerned contains matter relating to the deliberative process of an FOI body, including opinions, advice, recommendations and the results of consultations considered by the body for the purpose of those processes, and (b) the body considers that the granting of the request would be contrary to the public interest.
These are two independent requirements and the fact that the first is met carries no presumption that the second is met. Furthermore, the public interest test at section 29(1)(b) is a strong test. Any arguments against release should be supported by the facts of the case and it should be shown how release of the records would be contrary to the public interest.
In order for section 29(1)(a) to apply, the records must contain matter relating to the “deliberative process” of an FOI body. An FOI body relying on this exemption should identify both the deliberative process concerned and any matter in particular which relates to those processes.
A deliberative process may be described as a thinking process which informs decision making in FOI bodies. It involves the gathering of information from a variety of sources and weighing or considering carefully all of the information and facts obtained with a view to making a decision or reflecting upon the reasons for or against a particular choice. Accordingly, it involves the consideration of various matters with a view to making a decision on a particular matter. It would, for example, include some weighing up or evaluation of competing options or the consideration of proposals or courses of action. The fact that a deliberative process exists and is ongoing does not mean that the exemption automatically applies without consideration of all the provisions of section 29. Equally, the fact that a deliberative process is at an end does not mean that the exemption can no longer apply.
In its original and internal review decisions, SPS cited section 29, but did not explain how it applied in this case. CA’s original decision stated that the records withheld comprised communications between it and other HSE departments or personnel, and between CA and the DPC, “wherein information and opinions [were] requested and received ”. It stated that the correspondence was currently being considered by both the HSE and the DPC as part of the deliberative process concerning a reported data protection breach. CA argued that the release of these records might “inhibit the free and frank exchange of information ” between the parties that was necessary “to arrive at the most appropriate decision possible ”. The internal reviewer affirmed its original decision.
In its submissions to this Office, the HSE simply reiterated CA’s original decision and clarified that the records at issue comprised correspondence between the Deputy Data Protection Office (DDPO) in HSE Area South and other HSE departments/personnel and/or the DPC.
In his submissions to this Office, the applicant argued that the records he sought included information of a factual nature (section 29(2) refers) and should be released. The applicant also argued that the HSE had not adequately demonstrated that the release of the records sought could be detrimental to the DPC’s investigation.
A number of the records in question relate to correspondence with the DPC about the matters at hand. I understand that the DPC’s investigation into this complaint is still ongoing.
As noted above, during the course of this review, I notified the DPC of this review and gave it an opportunity to comment. In its response, it stated that, pursuant to Schedule 1, Part 1 of the FOI Act, it was subject to FOI only in respect of records concerning the general administration of the DPC. It noted that it was not an FOI body in respect of records relating to its functions as a data protection authority. It also noted that records of correspondence between it and the HSE in relation to its investigation would not be obtainable from the DPC itself on foot of an FOI request. However, it also stated that, without prejudice to the above, that it did not object to the release of the records in this instance, “subject to any exemptions or restrictions that may apply to them as submitted by the HSE ”. It concluded by stating that this was not to be taken as its “definitive or general position” in relation to such records held by other FOI bodies.
I have carefully reviewed the remaining records, other than those which I have found to be exempt in full or in part under section 37 above. As set out above, the records in this case mainly relate to correspondence generated on foot of a data protection complaint. They comprise internal HSE emails concerning these matters and external correspondence with the DPC. The records also include drafts of a formal data breach report completed after the applicant had made his complaint. In my view, the remaining records fall into two general categories: those that contain specific details of the matters at hand and those that refer in a high level way to the matters concerned, including administrative-type records relating to the responses needed to be made to the DPC. However, I note in particular that CA File 1, page 9 and SPS, page 30, contain legal advice provided by an internal HSE legal adviser (page 9), and a request for legal advice (page 30). I note that the HSE did not rely on section 31(1)(a) to withhold access to this information. While it seems to me that section 31 would have been of more relevance, I am satisfied that these records relate to the deliberations of the HSE, they broadly relate to the consideration by the HSE of all the information and facts gathered in relation to the data breach, including the legal advices received, so that it can make a decision in relation to how to proceed with the complaint and how to respond to the DPC. Having carefully considered the remaining records other than those to which I have found section 37 to apply, while they are more high level and contain less specific information, I am also willing to accept in the circumstances that they also relate to a deliberative process of this Office, the HSE and/or the DPC.
Accordingly, I find that section 29 applies to the remaining records. However, this is not the end of the matter, as I must also consider whether the release of the records in question would be contrary to the public interest.
As noted above, the public interest test at section 29(1)(b) is a stronger public interest test than the public interest test in many other sections of the FOI Act, requiring the FOI body to show that the granting of the request would be contrary to the public interest. This Office has previously held that the FOI Act clearly envisaged that there will be cases in which disclosure of the details of an FOI body’s deliberations whether before or, in some cases, after a decision based on those deliberations has been made would be against the public interest. However, this is not to say that such disclosure is always, as a matter of principle, against the public interest. Any arguments against release under section 29 should be substantiated and supported by the facts of the case. An FOI body should show how granting access to the particular records would be contrary to the public interest, e.g. by identifying a specific harm to the public interest flowing from release.
The HSE indicated that it considered a number of factors in relation to the public interest in favour of the release of the records sought. Of relevance, it stated that there was a public interest in ensuring accountability and objectivity in the decision making process, a public interest in government bodies being open and transparent in matters related to regulation and governance and a public interest in the public being better informed and more competent to comment on public affairs.
In terms of the public interest factors against the release of the records sought, it stated, essentially, that there was a public interest in not negatively affecting the investigation process, and in allowing FOI bodies to participate in such investigations without undue intrusion. It concluded that, in this instance, the public interest was best served by the withholding of these records. As noted above, the DPC made no objection to the release of the records sought relating to correspondence. Accordingly, it made no public interest arguments for or against the release of the records concerned.
The applicant made a number of arguments regarding the public interest in the release of the records sought. While I shall not set out all of the details here, he summarised his arguments as follows:
• The HSE’s decision making process regarding data breaches should be transparent to ensure accountability.
• Disclosure will help the public understand how data breaches are managed and the steps taken to protect personal data.
• Public scrutiny can lead to better standards and practices within the HSE, thereby improving public trust.
• The arguments presented by the HSE primarily focus on protecting deliberative processes and ongoing investigations. However, these are speculative and not supported by concrete evidence of potential harm.
• The balance of public interest favours disclosure, particularly given the significant concern over data protection and the handling of personal information.
As set out above, I am satisfied that pages 9 and 30 contain legal advice and a request for legal advice from the HSE surrounding these matters. I am also satisfied that the DPC’s investigation remains ongoing and that the matters are still current. I accept that there is a significant public interest in knowing that public bodies are handling sensitive personal information appropriately and dealing with data breach complaints in line with the relevant legislation. However, it seems to me that an FOI body seeking legal advice on these matters is entitled to consider the advice before deciding how best to proceed, without the deliberations being prejudiced by the release of said advice. As above, while the HSE has not relied on section 31 for its refusal of the records, it seems relevant to note that the FOI Act provides for the mandatory refusal of records which contain legal advice and I am satisfied that the particular weight afforded to the ability to be able to seek advice confidentially and to deliberate on its contents, weighs in to the public interest. In particular, I consider that if such information was to be released it would set a precedent which would be contrary to the public interest. Accordingly, In the circumstances of this case, I am satisfied that the release of pages 9 and 30 would be contrary to the public interest in ensuring that the HSE be able to take appropriate steps to ensure they are complying with data protection law.
On the other hand, I do not consider that the HSE satisfied me that the release of the other remaining records would reveal any specific information or details, the release of which would be contrary to the public interest. Furthermore, it is not apparent to me from a close examination of the remaining records that this would be the case. It is not clear to me at all that the release of the information could result in any particular harm to the public interest. I do not see how the release of such high level administrative information could hamper the investigative process described, I would also note that the HSE has conducted a balancing of the interests for and against release. However, as set out above, section 29 requires for the release of the records withheld to be contrary to the public interest, which is a higher bar.
In the circumstances of this case, I find that pages 9 of CA file 1 and 30 of SPS records are exempt under section 29, but that the HSE was not justified in refusing to grant access to the remaining records on that basis.
Section 30(1)(a) provides that an FOI body may refuse to grant a request if it considers that access to the record concerned could reasonably be expected to prejudice the effectiveness of tests, examinations, investigations, inquiries or audits conducted by or on behalf of an FOI body or the procedures or methods employed for the conduct thereof.
Where an FOI body relies on section 30(1)(a), it should identify the potential harm in relation to the relevant function specified in the paragraph that might arise from disclosure. Having identified that harm, it should consider the reasonableness of any expectation that the harm will occur. The FOI body should explain how and why, in its opinion, release of the record could reasonably be expected to give rise to the harm envisaged. A claim for exemption under section 30(1)(a) must be made on its merits and in light of the contents of each particular record and the relevant facts and circumstances of the case. Section 30(1) is also subject to a public interest test under section 30(2).
The HSE
In its original and internal review decisions, SPS simply cited section 30, but did not explain how it applied in this case, other than to state that the release of the records sought could prejudice the outcome of an ongoing investigation.
In its original decision, CA referred to the investigation being conducted by the DPC into a reported data breach. It stated that the investigation involved ongoing communications between the DPC and HSE, so that the DPC could ensure it was fully informed about the case and “ultimately arrive at the correct decision”. It argued that it was “imperative” that such interactions were “thorough and candid”. It noted that it had never been common practice to release copies of such correspondence and that the unrestricted release of such records could quite reasonably be expected to prejudice an ongoing investigation. In its internal review decision, it simply noted that the data breach was still under review by the DPC and affirmed its earlier decision.
In its submissions to this Office, the HSE stated that the DPC’s investigation into the applicant’s complaint about a data breach was still ongoing. It reiterated the arguments set out above. Its position was that release of any of the withheld information “at this stage would be inappropriate”. It stated that when the DPC had issued its finding in relation to its investigation, “release of the withheld information can be reconsidered”.
The DPC
As noted above, I informed the DPC of this review and that the applicant sought access to emails between the HSE and the DPC following the data breach complaint, including requests for updates and a request for various details from the DPC dated 1 May 2024.
In its response, it stated that, pursuant to Schedule 1, Part 1 of the FOI Act 2014, it was subject to FOI only in respect of records concerning the general administration of the DPC. It also noted that the DPC was not an FOI body in respect of records relating to its functions as a data protection authority and that, therefore, the applicant could not seek the records by way of an FOI request to the DPC itself. Nonetheless, its stated that in relation to this specific case, and without prejudice to the above position, the DPC had no objection to the release of the records in this instance, “subject to any exemptions or restrictions that may apply to them as submitted by the HSE”.
It concluded by stating that this was not to be taken as setting out the definitive or general position of the DPC in relation to access to records generated by the DPC and/or which would form part of its file on a case which are held by other FOI bodies. Essentially, the DPC’s position was that having regard to the content of the specific records between it and the HSE in this case, it had no objection to their release. I note that it made no argument that the release of the records sought in this case could prejudice its investigation in any way.
The applicant
In his submissions to this Office, the applicant appeared to be of the view that as the DPC was only partially subject to the FOI Act, that the exemptions claimed by the HSE could not apply. In any event, his view was that the records sought should be released in full. His arguments in relation to section 30 mainly related to the public interest in the release of the records sought. In particular, the applicant has alleged that the HSE has not provided sufficient evidence to support the claim that disclosure would prejudice the DPC’s processes of any ongoing investigations. He maintained that the speculative nature of their claim should not be sufficient to justify withholding of information and that there is a strong public interest in understanding how the HSE manages data breaches, including its interactions with the DPC. He has argued that transparency in this area is crucial for accountability and ensuring that data protection practices are robust and effective.
Analysis
I have carefully considered the parties’ arguments and the remaining information contained in the records in question. I have found above that information relating to the matters leading to and concerning the processing of the applicant’s data breach complaint is exempt under section 37 of the FOI Act. I have found that records concerning legal advice and requests for same to be exempt from release on the basis that they relate to a deliberative process and the release of same would be contrary to the public interest. I have also found that while the remaining records relate to the deliberations of the various parties, that the HSE was not justified in refusing access to them under section 29 of the FOI Act.
In respect of the HSE’s arguments under this subsection, it seems to me that the HSE has primarily argued that the release of the remaining records could impair the effectiveness of the DPC’s regulatory functions or its own data protection assessments.
In sum, while I accept that the HSE has identified a relevant function for the purposes of section 30(1)(a), and that it has stated that it expects this function to be harmed by the release of the records, it is not clear to me how the release of mainly administrative records relating to arrangements to reply to the DPC, high level outlines of the matters arising, or parts of the relevant documents that solely relate to organisational matters, and not to the third parties concerned, could prejudice the effectiveness of a review by this Office which has been completed, or of an ongoing investigation by the DPC, which had not objected to the release of the records sought, or of internal investigations or audits by the HSE in to data protection matters. The information remaining under consideration reveals little about the investigative processes in question.
Furthermore, I do not accept that the HSE has demonstrated how the release of the records sought would prejudice the effectiveness of future investigations or inquiries conducted by the HSE, or the DPC, or this Office, or that it would prejudice the procedures or methods employed for the conduct thereof. Nor is the possibility of prejudice evident to me from an examination of the records themselves.
Having carefully considered matters, I find that the HSE was not justified in refusing access to the remaining information under section 30(1)(a) of the FOI Act.
Having carried out a review under section 22(2) of the FOI Act, I hereby vary the HSE’s decision.
I find that the HSE has justified its decision to refuse access to the following records on the basis of sections 37(1) and 29(1) as described above:
• SPS records: pages 10-11, 19-20, 23, 25-26, 30, 35-36, 39-40, 80-83, Questions 1-5 in pages 106-109, 117, 118, 1231, 123, 124, 126, answers 1-5 in pages 130-132 and answers 1-5 and 9 in pages 135-137
• CA records: File 1, pages 8, 9, 11, 22-23, 25, 28-29, 55-56 and File 2, Questions 1-5 page 17 and answers 1-5 and 9 on pages 25-27
I find that it has not justified its decision to refuse access to the remaining information on the basis of sections 29(1) and 30(1)(a) and am directing the release of the following records:
Consumer Affairs File 1 : pages 5-6, 7, 10, 12, 13-17, 18-20, 21, 24, 26-27, 30-31, 43-47, 49-53, 57-58 and 63-68
Consumer Affairs File 2 : pages 9-12, 13-14, 15-18 (subject to the redaction of questions 1-5), 19-20, 21-22, 23-27 (subject to the redaction of answers 1-5 and 9), and 28-29
Safeguarding and Patient Safety : pages 7, 8-9, 12-15, 16, 17-18, 21-22, 24, 27-28, 29, 31-32, 33-34, 45-46, 53-58, 59, 60-61, 80-83 (subject to the redaction of the staff member’s name), 96-98, 106-109 (subject to the redaction of questions 1-5),
Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by a party to a review, or any other person affected by the decision. In summary, such an appeal, normally on a point of law, must be initiated by the applicant not later than eight weeks after notice of the decision was given, and by any other party not later than four weeks after notice of the decision was given.
____________________
Rachael Lord
Investigator