Inquiries, reviews, investigations and court orders in health and social care services guidance for information governance professionals

You may receive a request for health and care information from a public inquiry, review, investigation or law court. Anyone requesting information for these purposes should be able to demonstrate their legal basis for requesting the information. All disclosures should be reviewed before sharing to ensure that only information relevant to the request is being shared and that any irrelevant information, for example third party data, has been redacted. You should ensure that your organisation’s privacy notice covers the sharing of data for inquiries, reviews, investigations and court orders.

Where records are requested, they must not be altered, amended or disposed of, so the team dealing with the review, inquiry, investigation or court order know they are accessing the original, genuine records. Altering, amending or disposing of records, once requested for disclosure, could be seen as a criminal offence under the Data Protection Act 2018 or the Public Records Act 1958.

Statutory public inquiries are independent of government and other agencies. They are established to investigate issues of serious public concern. Their powers are established in the Inquiries Act 2005. Inquiries will set out their terms of reference, which set the scope of the inquiry, and these will usually be made public before the inquiry begins.

At the time of writing there are two statutory public inquiries which have requested that large parts of the health and social care sector do not destroy any records that are, or may fall into the remit of the Inquiry:

• The Infected Blood Inquiry - further information about the Inquiry and the records which can be required is on its website
• The COVID-19 Inquiry – a separate piece of guidance on preparing for the COVID-19 Inquiry, which includes frequently asked questions, can be found on the NHS England Transformation Directorate website

The Inquiries Act provides a statutory public inquiry with powers to formally request any relevant information from any person or organisation. As a health or care organisation, you must comply with any formal request from a statutory public inquiry that you receive, known as a Section 21 notice. Alternatively, you must explain to the inquiry why you cannot provide them with the information requested, for example, if you do not hold the information. It is an offence under section 35 to not comply with a formal request for information (without good cause or reason).

Under UK General Data Protection Regulations (GDPR), the most likely lawful bases to apply to health and care organisations disclosing this information are:

• Article 6 (1) (c) legal obligation, in this case compliance with a notice made under section 21 of the Inquiries Act 2005
• Article 9 (2) (g) substantial public interest on the basis of law, to meet the statutory functions of the Inquiry

Where you are relying on Article 9 (2) (g) substantial public interest, you must ensure you have an appropriate policy document in place. The Information Commissioner’s Office (ICO) has produced guidance on what this should cover which includes a template document.

Confidential patient information and employee records (for example, HR records) are subject to a duty of confidentiality. Where the formal request includes confidential patient information, the lawful basis for providing this under the common law duty of confidentiality is met. This is because the Inquiries Act establishes a statutory obligation for health and care organisations to disclose relevant information to the Chair of a statutory public inquiry when requested. This overrides the duty of confidentiality allowing the disclosure to take place lawfully. Additional steps, such as seeking consent, are therefore not required.

The inquiry team will provide instructions on how to supply the requested information, and by when. You should direct any questions you have regarding the request to the inquiry team.

If you receive an informal request for information from a statutory public inquiry, the most likely legal bases to apply to disclosing the information are:

• Article 6 (1) (e) public task
• Article 9 (2) (g) substantial public interest on the basis of law, to meet the statutory functions of an inquiry

An informal request will not override the duty of confidentiality. Therefore, information will either need to be provided in an effectively de-identified format (for example to provide an aggregated dataset showing numbers of inpatients by age, sex and ethnicity), or a formal section 21 request will need to be made by the statutory public inquiry for confidential information.

Many of the documents of interest to the inquiry, in particular internal working documents and communications, may not contain any confidential patient or employee data, so you can provide these to the inquiry if requested.

You must only provide the specific information requested by the inquiry.

You must retain information that is in scope of an inquiry as set out in its terms of reference. Retaining information for a statutory public inquiry will not breach UK GDPR or the common law duty of confidentiality.

Health and care organisations must work with any investigation that is considering the safety of the care and support that the organisation has provided. This includes providing records and other information to allow the investigation to carry out its task.

Public inquiries are established by the government. Non-statutory public inquiries are not in scope of the Inquiries Act and therefore do not have the same powers to require information as statutory public inquiries.

Investigations and reviews may be internal, external, or independent. Independent investigations and reviews are carried out by a third party appointed by NHS England or a local commissioner on the basis of the Serious Incident Framework (2015) or its successor the Patient Safety Incident Response Framework (PSIRF) which is being implemented as part of the NHS Patient Safety Strategy. The PSIRF will be used by all services commissioned under the NHS standard contract.

Identifiable information will not always be needed to conduct an investigation, review, or inquiry. Wherever possible information should be either anonymised, or pseudonymised so that those conducting the review would not reasonably be able to identify individuals.

Where personal data is needed, the lawful bases under UK GDPR for processing data is:

• Article 6 (1) (e) public task
• Article 9 (2) (h) management of health and care services

Where confidential patient information is required and the information needs to be shared with those not directly involved in an individual’s care, for example, the internal or external investigation or review team, you will need to consider on a case by case basis the purpose of the review, non-statutory public inquiry or investigation and the seriousness of the case.

Where there is an overriding public interest to prevent serious harm in the future, as will be the case with patient safety-related investigations and reviews, then you can share confidential patient information. It is unlikely that their consent to share information would be required in cases of serious harm as the public interest would override any objection.

A non-statutory inquiry, review or investigation may for example be looking at events that have led to death or serious harm and identifiable information must be used to link an affected individual’s records to understand the full events leading to harm.

Where an organisation undertakes an internal investigation in response to a complaint, the common law duty of confidentiality is met with the implied consent of the complainant. This is because the complainant has a reasonable expectation that their data will be shared with relevant managers and senior staff, including staff who were not part of the original care team, to ensure a fair and independent investigation.

Where complaints relate to third parties (for example, a family member complaining about the treatment their relative has received), then the complainant will need to provide evidence they have the consent of their relative to submit the complaint, or the health or care organisation will need to confirm consent with the relative, in order to investigate the complaint. If the relative does not provide consent, then the complaint cannot be investigated.

In addition to this, organisations involved in the individual’s care pathway (for example the ambulance service) may share information if it is relevant to the organisation handling the complaint (for example a hospital trust) as this would also fall under the reasonable expectation of the complainant.

You should be transparent about how information will be shared when a complaint is made in your complaints policy.

Identifiable information is unlikely to be needed to conduct a review or inquiry into issues that do not directly concern the safety of healthcare, for example a review into hospital food. Wherever possible information should be either anonymised, or pseudonymised so that those conducting the review would not reasonably be able to identify individuals.

Where a non-statutory public inquiry, review or investigation does not relate to patient safety and confidential information is required then you cannot rely on implied consent to share with those not directly caring for an individual, and it is unlikely to be in the overriding public interest. In this circumstance you will need to anonymise the data or seek explicit consent.

Each of the four main types of court in the English justice system (the criminal, civil, family, and coroner’s) may request information from health and care organisations in the form of a court order. A judge can request any information they see as relevant to the case, and you must comply by providing exactly the information requested within the court order, in its original format where possible to avoid any doubt about the authenticity of the record.

Under UK GDPR, the legal bases for processing information for court orders are:

• Article 6 (1) (c) legal obligation
• Article 9 (2) (f) legal claims, or courts acting in their judicial capacity

A court order will also satisfy the common law duty of confidentiality, where the request would involve the disclosure of confidential patient information as disclosure is legally required.

Court orders will usually specify a date by when you must present the requested information to the court or explain why it is not available.

You will always be compliant with data protection law by following a court order. Failure to comply with a court order may result in you being found in contempt of court and incurring unnecessary legal costs.

If you cannot comply with the court order you will need to apply to the court requesting a hearing. You might not be able to respond for example because you do not hold the information requested, or you consider the request to be in error or irrelevant to the case in question. The hearing is an opportunity for you to present a statement to the court explaining your reasons to set aside the order. The judge will decide, and you must comply with their decision.