Why is West Suffolk NHS Foundation Trust refusing to name the contractor who processed staff fingerprints?

By Dr Minh Alexander NHS whistleblower and former consultant psychiatrist 17 November 2020

Background

West Suffolk NHS Foundation is the NHS trust rated ‘Outstanding’ by CQC

in January 2018, and which the National Guardian foolishly praised for good whistleblowing governance, which launched a mole hunt for a member of staff who had written anonymously to Susan Warby’s (a patient) bereaved family to raise concerns about safety.

The trust claimed fingerprints were found on this letter/ its envelope, and used this to intimidate staff, including a member of staff who had previously made public interest disclosures about other matters. Staff were threatened with possible consequences if they did not provide fingerprints and handwriting samples for matching. The trust letter sent to staff read:

“any refusal to provide consent … would be considered evidence which implicates you as being involved in the writing of the letter”.

The trust later retreated in the face of public condemnation and admitted that it should not have asked for staff fingerprints for matching.

Biometric data used for identification is classified as special category data under GDPR, European data protection legislation, and it can only be used for identification based on “explicit consent”. The trust therefore acted outside of its powers when it coerced staff.

The ICO confirmed that the trust staff affected would, on the face of the known facts, have a legitimate basis for lodging a complaint.

A “rapid” review  of the West Suffolk governance failure was commissioned by NHS Improvement in February 2020 and its publication is awaited.

The matter is of special sensitivity as the Secretary of State, the local MP, was implicated by reported failure to help trust staff who sought his help to address patient safety issues and his protection against management bullying. Hancock and the West Suffolk CEO have also exchanged public compliments. It remains to be seen what influence the Department of Health and Social Care will exert over the rapid review report.

West Suffolk’s processing of the purported finger prints

To help tighten up the facts available, I asked West Suffolk about its handling of the fingerprint data. Farcically, the trust initially stalled by asking what I meant by fingerprint data. It has now responded, claiming that it only holds the fingerprints in the form of the original letter/envelope, and does not hold a digital form of this data.

The trust admits that its data protection policy does not explicitly cover biometric data but claims that “by its nature” the policy implicitly covers special category data. That is an unsatisfactory argument. The failure to explicitly tell staff about their rights regarding special category data is unfair. Suggesting a lack of genuine regret, the trust has not bothered to review and amend its data protection policy despite the above furore over its infringement of staff rights.

Of concern, the trust is also tight-lipped about whom it paid public money to analyse the alleged fingerprints on the anonymous letter/envelope. It claims it cannot reveal this information due to the commercial interest exemption. This seems an unusual application of this exemption and I will appeal.

One has to wonder about the reasons behind the trust’s obfuscation.

The trust now claims that the contractor no longer holds the fingerprint data:

“11. Does any third party (or parties) still hold the fingerprint data?

No.”

Lastly, the trust denies that it holds any other staff fingerprint data other than those related to the Warby case.

The FOI correspondence with the trust is provided in the appendix.

If you have not done so already, please sign and share the petition for much better UK whistleblowing law, to replace the currently ineffective system response which is reactive, too slow to prevent harm and very often compromised. We need a proactive system with the powers to establish the truth much more quickly, reduce whistleblowers’ exposure to reprisal and correct governance failures speedily.

Petition: Replace UK whistleblowing law, and protect whistleblowers and the public

RELATED ITEMS

A new UK whistleblowing Bill and a petition to the UK government to strengthen protection

National Guardian’s gaslighting exclusion criteria: the never ending story

Matt Hancock Secretary of State for Health and Social Care, and Freedom To Speak Up lanyard sporting Steve Dunn, CEO of West Suffolk, in happier times

APPENDIX
FOI correspondence with West Suffolk NHS Foundation Trust

From: FOI <REDACTED>

Subject: FOI 20-14795

Date: 17 November 2020 at 08:45:27 GMT

To: minh alexander <REDACTED>

Cc: FOI < REDACTED >

 Dear Dr Alexander 

I am writing to confirm that the West Suffolk NHS Foundation Trust has now completed its search for the information which you requested on 12th September

Thank you for your email dated 24th October clarifying your request for information dated 12th September. We are now in a position to provide a response to the questions posed with the context that you have provided.

We note that by using the term ‘fingerprint data’ you are referring to finger prints on a specific letter/envelope which was sent anonymously to a member of the public. On that basis, we can respond to your numbered points as follows:

  1. Where did the trust store the data on the fingerprints from the anonymously sent documents/ envelope?

The anonymous letter was stored in a sealed police evidence bag in a locked secure location in the Trust’s premises.

  • Who in the trust had access to the fingerprint data?

The sealed evidence bag was sent by the police to the Trust, and a limited number of staff held the evidence bag but did not open it; these include the Case Investigator and the Case Manager.

  • Does the trust still hold the fingerprint data?

Yes.

  • If the trust had multiple copies of the fingerprint data, please disclose all locations in which the fingerprint data has been stored

The Trust did not/does not have multiple copies.

  • Please disclose what level or levels of IT security applied to the stored fingerprint data.

This is not applicable as the fingerprints to which you refer are on a hardcopy envelope/letter.

  • Did any third party store the fingerprint data at any point?

Yes, a laboratory specialising in fingerprinting.

  • Please disclose details of the third party or parties who stored the fingerprint data.

This Trust considers this information to be exempt from disclosure under s.43(2) of FoIA which states that information does not have to be disclosed if it would or would be likely to harm the commercial interests of any person. The exemption in s.43(2) is qualified, which means it is subject to a public interest test. The Trust has considered the public interest arguments in favour of disclosing the information and the public interest arguments in favour of maintaining the exemption. It has reached the conclusion that the public interest balance lies in favour of maintaining the exemption.

  • If a third party or parties stored the fingerprint data, where did the third party (or parties) store the fingerprint data?

As above, the Trust considers this information to be exempt in accordance with s.43(2) of FoIA. We have consider the public interest balance and have reached the conclusion that the public interest is in favour of the exemption.

  • Was the level of IT security applied by these third parties in storing the fingerprint data agreed with the trust, whether specific to this case or by contract?

The Trust undertook due diligence in relation to the laboratory in question which is a recognised company providing a range of forensic science expert witnesses to criminal and civil courts, companies, private investigators, sports teams and private clients. 

  1. Please disclose the details of the level of IT security agreed between the trust and third parties.

As per question 9 above.

  1. Does any third party (or parties) still hold the fingerprint data?

No.

  1. Does West Suffolk NHS Foundation trust hold any other fingerprint data, other than that related to the anonymous fingerprint data from the Susan Warby case?

No.

  1. Does the trust have any policy on the processing of sensitive staff biometric data (such as fingerprints), and if so has this been reviewed and or updated since the trust announced that it was dropping its attempts to obtain fingerprint evidence from trust staff, to see if any matched the fingerprints on the anonymously sent documents/ envelope about the Warby case.

The Trust has a Data Protection Policy which by its nature implicitly covers the processing of ‘special category’ data including biometric data. That policy does not make explicit reference to biometric data and has not been reviewed or updated in response to the fingerprint investigation undertaken by the Trust.

The information supplied to you continues to be protected by the Copyright, Designs and Patents Act 1988. You are free to use it for your own purposes, including any non-commercial research and for  the purposes of news reporting. Any other reuse, for example commercial publication, would require the permission of the copyright holder.

If you are unhappy with the service you have received in relation to your request and wish to make a complaint or request a review of our decision, you should write to:

Chief Executive

West Suffolk NHS Foundation Trust

Hardwick Lane

Bury St Edmunds

Suffolk IP33 2QZ

If you are not content with the outcome of your complaint, you may request the Information Commissioner’s Office to carry out a review.

Kind regards

Jenny Hards

Senior Information Governance Officer

West Suffolk NHS Foundation Trust
Hardwick Lane|Bury St Edmunds|SUFFOLK|IP33 2QZ


Scanned by Trustwave SEG – Trustwave’s comprehensive email content security solution.



From: minh alexander <REDACTED >

Subject: FOI 20-14795

Date: 24 October 2020 at 12:32:59 BST

To: Stephen Dunn <REDACTED>

Cc: FOI <REDACTED>

BY EMAIL 

Steve Dunn

CEO West Suffolk NHS Foundation Trust

24 October 2020

Dear Mr Dunn,

I have had a rather unexpected response from West Suffolk NHS Foundation Trust to my FOI request of 12 September 2020, in which the trust has asked me, after the FOI response was due, to clarify what I meant by “fingerprint data”. Please see the correspondence exchange with the trust, below.

I clearly meant finger prints detected either on the anonymous letter, the envelope that it arrived in or any enclosures, which sparked the trust’s molehunt & initial demands that staff provide finger prints for matching against those purportedly found on the anonymous letter/ envelope/ enclosures.

I not sure how much clearer I can be.

Please expedite the trust’s response.

Many thanks

Dr Minh Alexander

From: FOI <REDACTED>

Subject: : FOI 20-14795

Date: 12 October 2020 at 10:42:19 BST

To: minh alexander <REDACTED >

Cc: FOI <REDACTED>

Dear Dr Minh Alexander,

Request for Information

Thank you for your email of 12th September 2020 which we are treating as a request made under the Freedom of Information Act 2000 (‘FoIA’).

You have requested information relating to ‘fingerprint data.’

We have given careful consideration to your request and have reached the conclusion that it is not sufficiently clear to enable us to locate or identify any information. In accordance with our duty under s.16 of FoIA, we would like to assist you to clarify your request to the extent that we are able to properly respond to it.

More specifically, please could you clarify what you mean by the term ‘fingerprint data’ for the purposes of your request?

Please note that in accordance with s.1(3) of FoIA, we are not under any further obligation to respond to your request until clarification has been provided to us. 

If you have any complaint about the way in which your request has been handled, please write to

Chief Executive

West Suffolk NHS Foundation Trust

Hardwick Lane

Bury St Edmunds

Suffolk IP33 2QZ

who will conduct a review. If your complaint is not resolved to your absolute satisfaction, you have the right to apply to the Information Commissioner for a decision. The Information Commissioner can be contacted by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Yours sincerely

Jenny

Jenny Hards| Senior Information Governance Officer

Cedar House

West Suffolk NHS Foundation Trust
Hardwick Lane|Bury St Edmunds|SUFFOLK|IP33 2QZ

Requests received after 3pm will be logged the following working day


Scanned by Trustwave SEG – Trustwave’s comprehensive email content security solution.



From: FOI <REDACTED >

Subject: FOI 20-14795

Date: 15 September 2020 at 09:37:59 BST

To: ‘minh alexander’ <REDACTED>

Cc: FOI <REDACTED >

Freedom of Information Request Acknowledgement

Thank you for your request which was received by us on 14th September 2020

Under the Freedom of Information (FOI) Act 2000 we are required to provide a response within 20 working days. You should expect to receive a response by 12th October 2020

We will advise you if we do not hold the information requested or if an exemption applies.

Your request has been given the reference number FOI 20-14795 .

Jenny

FOI Team

Cedar House

West Suffolk NHS Foundation Trust
Hardwick Lane|Bury St Edmunds|SUFFOLK|IP33 2QZ

Requests received after 3pm will be logged the following working day

From: minh alexander [REDACTED] 
Sent: 12 September 2020 11:17
To: FOI
Cc: Dunn Stephen
Subject: Handling of fingerprint data by West Suffolk NHS Foundation Trust and third parties

Dear Sir,

Handling of fingerprint data by West Suffolk NHS Foundation Trust and third parties

Regarding the trust’s attempt to obtain fingerprints from staff, in an investigation to find out who had sent an anonymous letter to the bereaved family of Susan Warby, a deceased trust patient whose care was criticised by the coroner:

https://www.theguardian.com/society/2020/sep/07/errors-west-suffolk-hospital-contributed-womans-death-susan-warby

1. Where did the trust store the data on the fingerprints from the anonymously sent documents/ envelope?

2. Who in the trust had access to the fingerprint data?

3. Does the trust still hold the fingerprint data?

4. If the trust had multiple copies of the fingerprint data, please disclose all locations in which the fingerprint data has been stored

5. Please disclose what level or levels of IT security applied to the stored fingerprint data.

6. Did any third party store the fingerprint data at any point?

7. Please disclose details of the third party or parties who stored the fingerprint data.

8. If a third party or parties stored the fingerprint data, where did the third party (or parties) store the fingerprint data?

9. Was the level of IT security applied by these third parties in storing the fingerprint data agreed with the trust, whether specific to this case or by contract?

10. Please disclose the details of the level of IT security agreed between the trust and third parties.

11. Does any third party (or parties) still hold the fingerprint data?

12. Does West Suffolk NHS Foundation trust hold any other fingerprint data, other than that related to the anonymous fingerprint data from the Susan Warby case?

13. Does the trust have any policy on the processing of sensitive staff biometric data (such as fingerprints), and if so has this been reviewed and or updated since the trust announced that it was dropping its attempts to obtain fingerprint evidence from trust staff, to see if any matched the fingerprints on the anonymously sent documents/ envelope about the Warby case.

Yours sincerely,

Dr Minh Alexander

Cc Steve Dunn CEO West Suffolk NHS Foundation Trust

One thought on “Why is West Suffolk NHS Foundation Trust refusing to name the contractor who processed staff fingerprints?

  1. Thank you for this shocking report and for the photograph.

    Always good to see smiles even if they do display, what our American friends call, British teeth. Extraordinary how lanyards manage to spark my imagination.

    There was a time when I imagined that unsuitability for a position was just some bureaucratic oversight. Or an unwillingness to disturb the status quo with the unexpectedness of ability coupled with integrity.

    Now I know different. All planned.

    Undoubtedly, we’ll all be microchipped soon and the surveillance state will have achieved their ambition.

    Wishing you well.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s