When you make a complaint about the NHS or a public body you are required to find the evidence to support your case.  This is not easy when organisations close ranks and you will have to fight for your rights under the data protection and freedom of information laws.  You are always on the back foot as you have no idea what records they are holding and they often use obscure clauses to withhold or redact key information. You can see a list of data exemptions here which can be useful if you wish to make a challenge.

It can be a good idea to request your data (in particular health records) before making a complaint so that things don’t ‘get lost’. 

As you start making data release requests prepare yourself for the long haul as you will often have to make numerous requests to the same body for the same information.   Data protection officers are masters of subterfuge who manage to write replies that don’t tell you anything.  They usually complete their non-responses with the irritating comment, I hope you have found this helpful.’

This FOI request phso_data_protection_act_1998 gives great insight into the way the Information Commissioner’s Office (ICO) and PHSO are able to work in unison to prevent disclosure of information which may lead to reputational damage.

What are my rights under the law? 

Data Protection Act: 

You can use the data protection act to find out personal information held by public bodies. All organisations, both public and private are required to abide by the Data Protection Act of 1998.  The act governs the protection of personal data in line with E.U. regulations and is based on 8 principles which can be seen here. wiki/Data_Protection_Act_1998  In essence individuals have the right to see and amend any personal information which is held on them.  You can ask to see any documentation in which you are named or referred to which are stored electronically or on paper.  This includes transcripts of recorded phone conversations, handwritten notes and emails.  You can also ask for interpretations of technical terms and knowledge of who has had access to this information and for what reason.

You need to make a ‘subject access request’ and there is useful information on how to do this on the ICO site ico-subjectaccessrequest  You need to allow 40 calendar days for the delivery of the data and this includes bank holidays and weekends.  There can be a cost of £10 and it is a good idea to send the cheque with your initial request to save delay.  In practice, few organisations actually cash the cheque and many send it back to you.

After 40 calendar days, a big fat envelope drops through your letterbox.  Most of the content will be all the letters and emails you have sent to them.  Anything sensitive will have been weeded out or redacted into meaningless drivel.  What you won’t find are all the internal emails they send between themselves and other organisations where they hatch up the ‘story’ they are going to tell you.  If you think they have held something back then you can make another request, and another, and another…  If you have details of a document they have not supplied, you can ask for it specifically.  If they refuse to release it, you can then take your case to the Information Commissioners Office (ICO)and let them ponder on it for a few months.

Organisations are able to obfuscate by using the many clauses and sub-clauses which form a complex web of rights and protections that are open to interpretation. Parliament is constantly adding new clauses, to close loopholes and protect the guilty such as a clause which permits organisations to withhold documents if they demonstrate incriminating evidence of an offence.  So you won’t see any of the paperwork which confirms that a law has been broken and that’s official.

Freedom of Information: 

You use the freedom of information act to find out generalised rather than personal data.  The Freedom of Information Act 2000 only applies to publicly funded bodies.  Once a public body is taken over by a private organisation they have no obligation under the law to release any information. Under FOI you can ask about policies, procedures and data.  You can ask to see anything which is already held, but they will not provide any information which is not currently stored.

There is a cost limit of £450 for most organisations, so if it costs them more than that in time they will refuse your request.  It is, therefore, better to make a number of small requests rather than one long one which will be turned down immediately.  Be as specific as you can with times, dates, names etc.    Data officers find it very difficult to understand exactly what you are asking for and will often send you irrelevant information instead in the hope that you will give up with all the difficult questions.  There is no payment for FOI requests but you must wait for 20 working days for a response.  More information here:  gov:how to make FOI request

There are various ‘get out’ clauses to help data officers keep sensitive information under wraps.  You can see some of them here:  admin/foi/exemptions  The usual trick is to refuse your request by saying ‘not held’, or by severely editing the data you receive.

One of the best ways to make a FOI request is to use the public site WhatDoTheyKnow.  You are more likely to get an answer and if they waffle around then everyone can see them in their true colours. You can see a number of requests on this site concerning PHSO if you put their name in the search box.

You might find it useful when making an FOI request to use the following wording to make sure all the bases are covered.

Dear FOI Officer,

I am writing to make an open government request for all the information to which I am entitled under the Freedom of Information Act 2000.

Please send me recorded information, which includes information held on computers, in emails and in printed or handwritten documents as well as images, video and audio recordings.

If this request is too wide or unclear, and you require a
clarification, I would be grateful if you could contact me as I understand that under the Act, you are required to advise and assist requesters.(Section 16 / Regulation 9).


If my request is denied in whole or in part, I ask that you justify all deletions by reference to specific exemptions of the act.I will also expect you to release all non-exempt material. I reserve the right to appeal your decision to withhold any information or to charge excessive fees.

If any of this information is already in the public domain, please can you direct me to it, with page references and URLs if necessary.

Please confirm or deny whether the requested information is held ( section (Section 1(1)(a) and consider whether information should be provided under section 1(1)(b), or whether it is subject to an exemption in Part II of the Act.

If the release of any of this information is prohibited on the
grounds of breach of confidence, I ask that you supply me with copies of the confidentiality agreement and remind you that information should not be treated as confidential if such an agreement has not been signed.

I understand that you are required to respond to my request within the 20 working days after you receive this letter. I would be grateful if you could confirm in writing that you have received this request.

Who are ICO?

ICO is the Information Commissioner’s Office and they are charged with protecting your rights according to the law on data handling and data release.  Quote from their website.

‘The ICO’s mission is to uphold information rights in the public interest. We give guidance to citizens and organisations, rule on eligible complaints, and take appropriate action when the law is broken.’’  

You can see their website here www.ico but as this is just another government quango they tend to protect the public bodies and not the public. In truth, they are a pretty toothless watchdog, reluctant to intervene on your behalf against intransigent organisations.  If they feel you have a genuine case, they do no more than write to the organisation and request release of documentation on your behalf.  If the organisation refuses, ICO is likely to tell YOU to take them to court as they wash their hands of the matter.  You can have a look at ICO prosecutions here and see the types of case they uphold.  ico.org.uk/prosecutions   Also, don’t expect a speedy response.  ICO will take anything from 3 to 6 months to process your complaint and will often require a little prompting before they get back to you with an answer.  They work on the same basis as all the others, delay, deny, defend.

You may find this of interest:  who-watches-the-watchdog

Do I have access to medical records for myself and my next of kin?  

Well of course you do, that’s one of the benefits of living in a democracy.   You can ask to see all the medical records which haven’t been lost or destroyed.  Simple as that.  You can find out how to access your medical records here: nhs.uk

If you have a relative going into hospital it would be a good idea to get ‘power of attorney’ for them while they can still hold a pen.  This will give you access to their medical records and some control over their treatment if they become incapable during their stay.   Make sure you have power of attorney over all aspects of care and not just financial.  For more information look at these links:

nhs.uk/power of attorney          gov.uk/power-of-attorney

 If your loved one dies unexpectedly in hospital then your power of attorney dies with them and you will no longer have a right to see their medical records.  As the data protection act applies only to a living person and FOI requests have all personal information redacted, it then becomes impossible to uncover the evidence.  If you have a financial interest’ towards the patient then you can ask to see the records under the Access to Health Records Act 1990  legislation.gov  A financial interest would be some sort of dependencies such as spouse or child.  It helps if the patient signs over ‘advocacy’ before going into hospital, giving permission for the advocate to see their medical and personal records both before and after death.   If there is no financial interest then this will not be permitted.  If the deceased has made a will then the executor can have access to their medical records on request.  Being named as the executor of the will is the most reliable way of ensuring access to medical records after death.

The records belong to the Health Board and they can decide, even with advocacy, that they need to withhold the information on the grounds that it would ‘mentally distress’ you.  Obviously not having a clue what happened is easier to cope with.   If you do manage to get access, you will need to become an expert in medical terminology in order to read them.  It will be necessary to continually read and re-read about the death of your loved one in order to make sense of any of it.  NHS lawyers advise health boards on ways to withhold damaging records.  This is entirely legal and no evidence of their input will appear in any paperwork you are given.  Here is an example of an NHS lawyer at work which was revealed by the Francis Inquiry.

……The coroner requested an expert report. Written by senior consultant Ivan Phair, it said that, in his opinion, the death was “avoidable” and that there was a “high probability that the level of care delivered to Mr Moore-Robinson was negligent”. 

But during the Francis Inquiry, which looked into standards of care at Mid Staffordshire NHS Trust, it emerged that Ms Levy (NHS lawyer) did not want his comments to be mentioned in an inquest. 

She wrote two memos to him suggesting the consultant delete the criticism to avoid further distress to Mr Moore-Robinson’s family and “adverse publicity”….. 


If the Health Board withholds documentation where you have clear rights of access then you can write to ICO and claim that they should be released under ‘public interest’ – good luck with that.

Once you get to the end of the system and find that there is no justice, you may wonder why you spent so many hours chasing for documents.  The problem with evidence is that you need an impartial body to present it to and presently that body doesn’t exist.  No matter how damning your evidence PHSO, GMC, CQC etc. will be all be able to state that things have been handled ‘appropriately’. 

















  1. Brenda says:

    The problem I had with ICO was that of Legal Privilege. The authority said the information I wanted was legal privilege and so would not disclose. But I believe it was simply chat among staff which is not covered. Only advice from legally qualified advisors is covered.
    ICO said, on the balance of probability is was legal privilege, but did not test this out…. Fair? It would be if it had been tested….but it was not.

  2. Elise Holton says:

    Whilst collating evidence for a forthcoming Court of Appeal Hearing I made Subject Access Requests to a school, local council and NHS. ICO at first appeared very helpful and correspondence from them to said organisation most certainly stops you being ignored. ICO confirmed the schools breach in writing which I needed but did not go any further and nothing happened. The council had made changes to official documents prior to SAR and lied. After months of keeping on they agreed the documents were inaccurate and agreed to amend. ICO believed they had been amended when this did not happen and refused to check if this was true or not. Council said they had sent me corrected docs but kept sending me the unchanged ones and the ICO did nothing and believed the council despite not even checking the truth. The NHS refused to provide evidence for one medical session and kept changing the date to another then saying they had responded. I received so much abuse from NHS and often received apologies with a margin half way across the page and half the words missing so it was not an apology at all. I kept on at the ICO as the NHS had breached data protection and did not provide a full response and again at the end of the day ICO did nothing.

Leave a Reply

Your email address will not be published. Required fields are marked *