phsothefacts-logo-D3.pngWhen you make a complaint about the NHS or a public body you are required to find  all the evidence to support your case yourself.  This is not easy, as organisations close ranks against you and you will have to fight for your rights under the data protection and freedom of information laws.  You are always on the back foot as you have no idea what records they are holding and they use every trick in the book to withhold or redact key information. 


As you start making data release requests prepare yourself for the long haul as you will have to make numerous requests to the same body for the same information as they work on the basis that a good percentage will give up trying if they make it difficult.    Data protection officers are masters of subterfuge who managed to write replies that don’t tell you anything.  They usually complete their non-responses with the irritating comment, I hope you have found this helpful.’  

So on that basis; I hope you find this helpful.

Who are ICO?

ICO is the Information Commissioner’s Office and they are charged with protecting your rights according to the law on data handling and data release.  Quote from their website.

‘The ICO’s mission is to uphold information rights in the public interest. We give guidance to citizens and organisations, rule on eligible complaints, and take appropriate action when the law is broken.’’  

two hoodlums from ICO threaten a data officer with the requirement to fill in a load of forms.

Cartoon by Pixomanic

You can check out their website here www.ico but don’t believe everything you read.  In truth they are a pretty toothless watchdog, reluctant to intervene on your behalf against intransigent organisations.  If they feel you have a genuine case, they do no more than write to the organisation and request release of documentation on your behalf.  If the organisation refuses, ICO is likely to tell YOU to take them to court as they wash their hands of the matter.  You can have a look at ICO prosecutions here and see they types of case they uphold.  ico.org.uk/prosecutions   Also, don’t expect a speedy response.  ICO will take anything from 3 to 6 months to process your complaint and will often require a little prompting before they get back to you with an answer.  They work on the same basis as all the others, delay, deny, defend – get used to it as you have a lot more to come!

You may find this of interest:  http://2040infolawblog.com/2015/03/02/who-watches-the-watchdog/

What are my rights under the law? 

Data Protection Act: 

All organisations, both public and private are required to abide by the Data Protection Act of 1998.  The act governs the protection of personal data in line with E.U. regulations and is based on 8 principles which can be seen here. wiki/Data_Protection_Act_1998  In essence individuals have the right to see and amend any personal information which is held on them.  You can ask to see any documentation in which you are named which is stored electronically or on paper.  This includes transcripts of recorded phone conversations, hand written notes and emails.  You can also ask for interpretations of technical terms and knowledge of who has had access to this information and for what reason.  Looks good doesn’t it.

You need to make a ‘subject access request’ and there is useful information on how to do this on the ICO site ico-subjectaccessrequest  You need to give the organisation 40 calendar days and this includes bank holidays and weekends.  There is a cost of £10 and it is a good idea to send the cheque with your initial request to save delay.  In practice few organisations actually cash the cheque and many send it back to you.

After 40 calendar days a big fat envelope drops through your letter box.  Most of the content will be all the letters and emails you have sent to them.  Anything sensitive will have been weeded out or redacted into meaningless drivel.  What you won’t find are all the internal emails they send between themselves and other organisations where they hatch up the ‘story’ they are going to tell you. Public bodies often employ external advisers to ensure that nothing slips through the net.  All correspondence with private companies is top secret and not subject to data protection laws.  If you think they have held something back then you can make another request, and another, and another…  If you have details of a document they have not supplied, you can ask for it specifically.  If they refuse to release it, you can then take your case to ICO and let them ponder on it for a few months.

Organisations are able to cover up the truth by using the many clauses and sub-clauses which form a complex web of rights and protections which are open to interpretation.  The only way you can define the act in law is to take the organisation to court and if you have read going-to-court then you will think twice about this.

Parliament is constantly adding new clauses, to close loopholes and protect the guilty.  This clause permits organisations to withhold documents if they demonstrate incriminating evidence of an offence.  So you won’t see any of the paperwork which confirms that a law has been broken and that’s official.

  1. Paragraph 10 of Schedule 18 amends paragraph 11 of Schedule 7 to the 1998 Act to make provision in relation to the principle against self-incrimination. This existing provision of the 1998 Act provides that data controllers are not obliged to satisfy subject access requests under section 7 of the 1998 Act, where to do so would reveal incriminating evidence of an offence other than an offence under the 1998 Act. It additionally provides that any information that was so disclosed under a subject access request is not admissible against the data controller in proceedings for any offence under the 1998 Act. The amendment adjusts the provisions so that neither the 1998 Act offences nor certain perjury offences are covered by this protection.

Freedom of Information 

The other way to gather evidence is to ask for a freedom of information request.  The Freedom of Information Act 2000 only applies to publicly funded bodies.  Once a public body is taken over by a private organisation they have no obligation under the law to release information.   Freedom of information gives you access to general data about an organisation rather than specific information related to your case.  You can ask about policies, procedures and data.  You can ask to see anything which is already held, but they will not find out information which is not currently stored.

There is a cost limit of £450 for most organisations, so if it costs them more than that in time they will refuse your request.  It is therefore better to make a number of small requests rather than one long one which will be turned down immediately.  Be as specific as you can with times, dates, names etc.    Data officers find it very difficult to understand exactly what you are asking for and will often send you irrelevant information instead in the hope that you will give up with all the difficult questions.  There is no payment for FOI requests and you need to give them 20 working days to respond.  More information here:  gov:how to make FOI request

There are various ‘get out’ clauses to help data officers keep sensitive information under wraps.  You can see some of them here:  admin/foi/exemptions  The usual trick is to refuse (delay) or say ‘not held’ (deny) or severely edit (defend).  You can of course report an organisation to ICO if you are not satisfied with their response, but I think we know the likely outcome there.

The best way to make a FOI request is to use the public site whatdotheyknow.  You are more likely to get an answer and if they waffle around then everyone can see them in their true colours.  Rather than give a direct response, they will often answer the question they wish you had asked, refer you to their website, or totally fail to answer at all stating that thie information is due to be placed in the public domain at some point in the future, as in this case. whatdotheyknow/audited_accounts

You might find it useful to use the following wording to make sure all the bases are covered.

I am writing to make an open government request for all the information to which I am entitled under the Freedom of Information Act 2000.

Please send me recorded information, which includes information held on computers, in emails and in printed or handwritten documents as well as images, video and audio recordings.

If this request is too wide or unclear, and you require a
clarification, I would be grateful if you could contact me as I understand that under the Act, you are required to advise and assist requesters.(Section 16 / Regulation 9).


Here’s the ICO guidance: 


If my request is denied in whole or in part, I ask that you justify all deletions by reference to specific exemptions of the act.I will also expect you to release all non-exempt material. I reserve the right to appeal your decision to withhold any information or to charge excessive fees.

If any of this information is already in the public domain, please can you direct me to it, with page references and URLs if necessary.

Please confirm or deny whether the requested information is held ( section (Section 1(1)(a) and consider whether information should be provided under section 1(1)(b), or whether it is subject to an exemption in Part II of the Act.

If the release of any of this information is prohibited on the
grounds of breach of confidence, I ask that you supply me with copies of the confidentiality agreement and remind you that information should not be treated as confidential if such an agreement has not been signed.


I understand that you are required to respond to my request within the 20 working days after you receive this letter. I would be grateful if you could confirm in writing that you have received this request.

If you would like to see previous FOI requests to PHSO then look under foi  on this site.  I am sure you will find something to interest you.

Do I have access to medical records for myself and my next of kin?  

Well of course you do, that’s one of the benefits of living in a democracy.   You can ask to see all the medical records which haven’t been lost or destroyed.  Simple as that.  You can find out how to access your medical records here: nhs.uk

If you have a relative going into hospital it would be a good idea to get ‘power of attorney’ for them while they can still hold a pen.  This will give you access to their medical records and some control over their treatment if they become incapable during their stay.   Make sure you have power of attorney over all aspects of care and not just financial.  For more information look at these links:

nhs.uk/power of attorney          gov.uk/power-of-attorney

 If your loved one dies unexpectedly in hospital then your power of attorney dies with them and you will no longer have a right to see their medical records.  As the data protection act applies only to a living person and FOI requests have all personal information redacted, it then becomes impossible to uncover the evidence.  If you have a financial interest’ towards the patient then you can ask to see the records under the Access to Health Records Act 1990  legislation.gov  A financial interest would be some sort of dependency such as spouse or child.  It helps if the patient signs over ‘advocacy’ before going into hospital, giving permission for the advocate to see their medical and personal records both before and after death.   If there is no financial interest then this will not be permitted.  If the deceased has made a will then the executor can have access to their medical records on request.  Being named as the executor of the will is the most reliable way of ensuring access to medical records after death.

The records belong to the Health Board and they can decide, even with advocacy, that they need to withhold the information on the grounds that it would ‘mentally distress’ you.  Obviously not having a clue what happened is easier to cope with.   If you do manage to get access, you will need to become an expert in medical terminology in order to read them.  It will be necessary to continually read and re-read about the death of your loved one in order to make sense of any of it.  NHS lawyers advise health boards on ways to withhold damaging records.  This is entirely legal and no evidence of their input will appear in any paperwork you are given.  Here is an example of an NHS lawyer at work which was revealed by the Francis Inquiry.

……The coroner requested an expert report. Written by senior consultant Ivan Phair, it said that, in his opinion, the death was “avoidable” and that there was a “high probability that the level of care delivered to Mr Moore-Robinson was negligent”. 

But during the Francis Inquiry, which looked into standards of care at Mid Staffordshire NHS Trust, it emerged that Ms Levy (NHS lawyer) did not want his comments to be mentioned in an inquest. 

She wrote two memos to him suggesting the consultant delete the criticism to avoid further distress to Mr Moore-Robinson’s family and “adverse publicity”….. 


If the Health Board withholds documentation where you have clear rights of access then you can write to ICO and claim that they should be released under ‘public interest’, or you could just go and watch some paint dry if you have time on your hands.

Once you get to the end of the system and find that there is no justice, you wonder why you spent so many hours chasing for documents.  The problem with evidence is that you need an impartial body to present it to and that doesn’t exist.  No matter how damning your evidence PHSO, GMC, CQC etc. will be able to interpret it all as ‘reasonable.’