Skip to main content

Serious incident investigation reports and issues around disclosure

While internal investigations into serious incidents in a healthcare environment are now commonplace, there is no standard, agreed process within the…


While internal investigations into serious incidents in a healthcare environment are now commonplace, there is no standard, agreed process within the NHS, although a key, recurring issue is that of the disclosure of internal reports, statements, meeting notes and other evidence to external bodies. All organisations should be clear and explicit about their approach.

It is widely-accepted that best practice in terms of improving care can be greatly helped by organisations attempting to learn from past mistakes. Nevertheless, health and safety legislation requires those holding such responsibilities to re-assess risks to staff, patients and visitors’ heath and safety when there is reason to believe that current control measures are no longer valid, which would be strongly suggested if a patient has been harmed in an incident.

Key points to consider

  1. Data Protection Act requests
    • Information provided by staff about involvement in an incident is likely to constitute ‘personal data’ within the meaning of the Data Protection Act 1998 (DPA)
    • DPA requires all such data to be processed fairly and lawfully so parameters of investigation should be very clear from the outset with all involved being informed how the information they provide will be dealt with
    • This fair processing requirement also impacts on requests for external disclosure and includes a need to seek the views of the individuals whose personal information you propose to share
    • Lawfulness of the disclosure of any information provided requires separate analysis, depending on the recipient and the basis upon which it is shared
    • Personal data is widely defined by the DPA, so any detailed report is likely to include personal data of both the patient and the staff involved, which means that a living patient can make a DPA subject access request
    • The obligations of the data controller to disclose that data need to be carefully considered, as there are issues around consent of the parties involved and whether the request is reasonable, which in itself requires consideration of issues around confidentiality and the views of those individuals

  2. Freedom of Information Act requests
    • Applications for release of internal information may also be made under the Freedom of Information Act 2000 (FOIA)
    • Whilst there are a number of exemptions that apply to such applications, some of which have been considered by the Information Tribunal in connection with Trusts, this is a complex area
    • In addition, qualified exemptions within FOIA mean that data controllers are essentially balancing the public interest of maintaining confidential information against the use to which such information would be put if disclosed

  3. Requests from a coroner
    • Can be difficult to consider
    • Fall outside the statutory provisions of the DPA and FOIA, but many of the same considerations are relevant in terms of maintaining the balance between any confidence that exists in information obtained in an internal investigation compared with its potential value to an inquest
    • Has the power to seek an order for disclosure from a court, although the circumstances in which a court would make such an order are prescribed by case law and essentially require identification of a specific document, disclosure of which is necessary

  4. Requests from the police
    • Powers to obtain internal documentation are more limited
    • Given the sensitive personal data likely to be contained within any materials sought, any such requests need to be considered individually

  5. Requests from regulators
    • Similar considerations to requests from police
    • Powers of regulators such as the HSE or CQC are laid down by the legislation establishing their remit


Given the complex legal and regulatory arena within which healthcare functions, as identified above, any issues relating to the disclosure of materials that have been gathered as a result of internal investigations need to be carefully considered and assessed to ensure that, no only is the law being complied with, but also that patients and staff are being treated fairly and their confidences not breached.

For more information on any of the issues raised in this article, please contact:

Richard Jolly, Partner, on 0151 242 7954 or at

Ken Slade, Principal Professional Support Lawyer, on 0151 242 7953 or at

Sectors and Services featured in this article

Share on Twitter