Home Decisions

Decision 061/2026

Decision 061/2026:  Details of loss of service in relation to IT, eHealth and telecommunications incidents


Authority: Fife Health Board
Case Ref: 202300914
 

Summary

The Applicant asked the Authority for all records for the last five years covering all IT, eHealth and telecommunications incidents resulting in loss of service to end users.  The Authority provided some information but relied on the exemption in section 35 of FOISA. During the investigation the Authority identified and withheld recorded information on the basis that it considered the disclosure would, or would be likely to, prejudice substantially the prevention or detection of crime.  The Commissioner investigated and found that the Authority had failed to carry out adequate and proportionate searches and had failed to provide adequate submissions to justify its position as to why information was exempt from disclosure. He required it to carry out and document adequate, proportionate searches for the recorded information requested and provide the Applicant with a revised review outcome on that basis.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2), (4) and (6) (General entitlement); 35(1)(a) (Law enforcement); 47(1) and (2) (Application for decision by Commissioner).

Background

  1. On 27 March 2023, the Applicant made a request for information to the Authority.  He asked for a copy covering the last five years of all records of all and any information technology, eHealth and telecommunications incidents resulting in loss of service to end users (including patients) and/or internal or external communications systems.  He stated examples would be email, Microsoft Teams, telephony and access to any services, but not excluding any other systems in use by the Authority.  
  2. The Authority responded on 26 April 2023, providing a partial response in which it disclosed some information to the Applicant.  The Authority explained it was relying on the exemption in section 35 (Law enforcement) as disclosing the specific information requested would potentially compromise its IT infrastructure and could undermine the prevention and detection of crime or jeopardise national IT infrastructure security (SWAN).  It considered disclosing the information could make its IT systems vulnerable to hacking. 
  3. On 26 April 2023, the Applicant wrote to the Authority requesting a review of its decision. The Applicant stated that he was dissatisfied with the decision because it had incorrectly relied on the exemption in section 35 (Law enforcement).  He stated his assumption was that the Authority had meant to rely on “section 35: Government Policy”.  He explained why he considered the application of this exemption could not be correct and asked for a review to confirm whether or not the exemption could be applied to this case. 
  4. The Authority notified the Applicant of the outcome of its review on 3 May 2023.  It upheld its original response. 
  5. On 18 July 2023, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  The Applicant stated he was dissatisfied with the outcome of the Authority’s review because it had refused his FOI request.  He believed it had made a mistake and that the section 35 exemption was related to central government rather than law enforcement. 
  6. On 27 July 2023, the Validation Officer explained to the Applicant that section 35 (Central Government) was a provision of the Freedom of Information Act 2000 (FOIA), whilst section 35 (of the Freedom of Information (Scotland) Act 2002), which Scottish public authorities are required to comply with, related to law enforcement.  The Validation Officer explained that as the Authority in this case was subject to FOISA, it could only respond to requests and requirements for review under that statute.
  7. The Applicant clarified his dissatisfaction with the Authority’s reliance on the exemption in section 35 of FOISA to withhold the information he had requested, as he did not consider it had any responsibility for law enforcement. 

Investigation

  1. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation. 
  2. On 3 August 2023, and in line with section 49(3)(a) of FOISA, the Commissioner gave the Authority notice in writing of the application and invited its comments, together with asking it to provide the information withheld from the Applicant.
  3. Following the provision by the Authority of comments on the application and copies of the responses provided to the Applicant, the case was allocated to an investigating officer.
  4. It became apparent that the information provided to the Commissioner was the same information as had been provided to the Applicant at the time of his request and not therefore what the authority considered to be exempt from disclosure. 
  5. The Commissioner asked for clarification from the Authority on whether there was further information falling within the scope of the Applicant’s request that it was withholding from him.
  6. The Authority provided the Commissioner with information in five documents and a revised schedule that indicated it was withholding all of this information in full under section 35(1)(a) of FOISA. 

Commissioner’s analysis and findings

  1. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority. 
  2. As noted above, in his request for information the Applicant asked for a copy of all records covering the last five years for all and any information technology, eHealth and telecommunication incidents resulting in loss of service to end users (including patients) and/or internal or external communications systems. 
  3. The information that was provided to the Applicant in response to his request comprised a table that split the incidents that had occurred into five categories:
  • Negligible incidents
  • Minor incidents
  • Moderate incidents
  • Major incidents
  • Extreme incidents

The information in this table covered the time period of the request and was populated with monthly figures `for the number of incidents which occurred in each category.  It showed no major or extreme incidents in this time period, with ten moderate incidents and higher numbers of minor and negligible incidents. 

  1. During the investigation the Authority located information in five further documents that related to five of the “moderate” incidents recorded in the table.  These were provided to the Commissioner and withheld in full from the Applicant. 

Section 1(1) – general entitlement 

  1. Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority which holds it is entitled to be given that information by the authority, subject to qualifications which, by virtue of section 1(6) of FOISA, allow Scottish public authorities to withhold information or charge a fee for it. 
  2. The information to be given is that held by the authority at the time the request is received, as defined in section 1(4) of FOISA.  This is not necessarily to be equated with information an applicant believes the authority should hold. 
  3. The standard of proof to determine whether a Scottish public authority holds information is the civil standard of the balance of probabilities.  In determining where the balance of probabilities lies, the Commissioner considers the scope, quality, thoroughness and results of the searches carried out by the public authority.

Interpretation of the request

  1. The Authority interpreted the phrase used in the Applicant’s request, “loss of service to end users” to match the definition of the “moderate”, “major” and “extreme” categories of incident included in its initial response.  It explained that minor or negligible incidents excluded critical systems.  The Authority outlined why it considered the moderate, major and extreme classifications to match the Applicant’s “loss of service to end users” definition. 
  2. The Authority explained that while records would be maintained for negligible or minor incidents, these incidents were not assessed as meeting the applicants “loss of service” definition. 
  3. The Commissioner has considered the Applicant’s request and the reasoning provided by the Authority as to how it interpreted this request.  In the circumstances, the Commissioner believes it was reasonable to determine that the moderate, major and extreme incidents would fall within the scope of the request, given their potential impact on end users, and that minor and negligible incidents would not fall within the scope of the request. 

Information held by the Authority

The Authority’s submissions 

  1. The Authority explained that the table it had provided to the Applicant in its response was developed in direct response to his request and created to provide some information to the Applicant. 
  2. It submitted that information for any incident, no matter the category, was captured on its Information Technology Service Management System (ITSM System) with key updates being provided to the ITSM System.  The Authority explained that the incident would then be managed by the appropriate staff, depending on the type of incident, with some incidents being recorded on another system as an “Incident” to help outline the impact and assessment on services. 
  3. The Authority stated that in considering the Applicant’s request, it established its intention to exempt any sharing of the detail requested under section 35 of FOISA and, on that basis, at the time of the original request, no additional searches were conducted to identify what records were available (in addition to the table of figures provided).
  4. The Authority submitted that additional searches, which identified the information in the five documents provided, were only conducted in response to the Commissioner’s request for submissions.  It noted that since providing its submissions to the Commissioner, it had continued to review incident records to determine whether information was held in relation to the other five “moderate” incidents in the table.  It recognised that this did not cover the original request of the Applicant for “all records”.   

The Commissioner’s view

  1. The Commissioner has carefully considered the submissions from the Authority and the Applicant as well as the subject matter of the request. 
  2. He would highlight that in order to determine whether it is appropriate to rely on any exemption in FOISA to withhold information falling within the scope of a request, it is first necessary to establish whether any recorded information is held and then to identify and locate this information.  The in-scope information can then be considered by the Authority, to determine if any information can be provided to the Applicant and, if not, whether and which exemption(s) it considers to be appropriate to rely on, based on the actual content of the information.
  3. The Applicant’s request specified he was seeking “all records”.  The Authority has clearly stated in its submissions to the Commissioner that, at the time it provided its response and review outcome to the Applicant, it had not carried out searches to identify the records it held (beyond the figures in the table provided) falling within the scope of the request; its reasoning being that it would rely on the exemption at section 35 of FOISA to withhold from disclosure whatever information it did hold.   
  4. The Commissioner does not consider it appropriate for the Authority to apply an exemption in a blanket fashion, without considering the content of the information it actually holds which falls within scope.  It is clear from its submissions that adequate searches to identify recorded information falling within the scope of the request were not carried out by the Authority before it provided its initial response and review outcome to the Applicant. 
  5. The Commissioner notes that some information falling within the scope of the request was located and withheld during the investigation.  However, the Authority’s submissions acknowledged that these searches were only conducted as a consequence of the Commissioner’s investigation.  The Authority also recognised that the information in the five documents it had identified and provided to the Commissioner did not cover the Applicant’s request for “all records”. 
  6. As a result, the Commissioner is not satisfied that, on the balance of probabilities, the Authority took adequate steps to identify and locate all recorded information held falling within the scope of the Applicant’s request, at the time it received it or when it responded to his requirement for review. 
  7. The Commissioner therefore finds that the Authority failed to respond to the Applicant’s request in accordance with section 1(1) of FOISA.  The Commissioner requires the Authority to carry out and document adequate, proportionate searches to determine what recorded information it holds falling within the scope of the Applicant’s request, thereafter providing him with a revised review outcome. 

Section 35 – Law enforcement

  1. Section 35(1)(a) exempts information if its disclosure would, or would be likely to, prejudice substantially the prevention or detection of crime. 
  2. As the Commissioner’s briefing on section 35 notes, the term “prevention or detection of crime” is wide ranging.  It encompasses actions taken to anticipate and prevent crime, or to establish the identity and secure prosecution of people suspected of being responsible for committing crime.  This could mean activities in relation to specific (anticipated) crime or wider strategies for crime prevention and detection. 
  3. There is no definition in FOISA of what is deemed to be substantial prejudice, but the Commissioner considers an authority would have to identify harm of real and demonstrable significance.  The harm would also have to be at least likely, and therefore more than simply a remote possibility.
  4. The exemption in section 35(1)(a) is subject to the public interest test in section 2(1)(b) of FOISA.

Information that has been located and withheld

  1. As has been established and discussed above, while the Authority relied on the exemption in section 35 of FOISA at the time of its response to the Applicant’s request and requirement for review, no recorded information (other than that held in the table disclosed in full to the Applicant) had been identified and considered. 
  2. The Authority has now located information in five documents related to five of the “moderate” incidents recorded in the table provided to the Applicant. 
  3. In the accompanying revised schedule provided to the Commissioner, the Authority has indicated that it is relying on section 35(1)(a) to withhold all of the information in each of these five documents.

The Applicant’s submissions

  1. The Applicant did not agree that the information he requested should be withheld from him. He believed that the information requested was in the public interest as it affected everyday medical care of the public: these types of outages did not only affect people resident in Fife but potentially nationally. 
  2. The Applicant considered that the Authority operated its IT systems without any public oversight or scrutiny and that the public should know how often and why these systems failed.  It was his view that the Authority was using FOISA to evade scrutiny and cover up its incompetence. 

The Authority’s submissions

  1. The Authority submitted that its intention in relying on section 35 was to ensure that there was no chance of direct or indirect sharing of information relating to its own critical systems and infrastructure, nor that of its supply chain and other public authorities.  In its opinion, if this information was made available it would increase the likelihood and ease of occurrence of a cyber-attack, including the enhanced capability to map across different information by tools such as AI. 
  2. The Authority considered disclosure would increase the likelihood of crime being committed and allow that crime to be designed in such a way that it would be harder to detect or to identify the alleged criminal. 
  3. The Authority acknowledged that by not considering the documents held, and relying on section 35, it had not considered its ability to release some of the information to the Applicant. 
  4. It stated its intention though, in any information release, to withhold through exemptions significant amounts of detail relating to the identification of systems and infrastructure, key architecture, technical details, vulnerabilities, suppliers and personal identifiable items under section 35 and section 38 (Personal information).
  5. The Authority also mentioned in its submissions the possible appropriateness of section 12 (Excessive cost), recognising that if it were to rely on this provision it would need to consider section 15 (Duty to provide advice and assistance) with a view to assisting the Applicant, where appropriate, to narrow his request so as to bring it below the cost limit of £600. 
  6. It is not entirely clear to the Commissioner, from the submissions he has received, what the Authority’s final position is in relation to the specific information within the five documents it has identified.  As a consequence, it has not been possible for the Commissioner to reach a determination on whether any of it is exempt under FOISA.  
  7. In the circumstances and given his finding in relation to quality of the searches carried out by the Authority earlier in this decision, the Commissioner considers it would be appropriate for the Authority to complete adequate, proportionate searches for any recorded information falling within the scope of the request.  Once it has identified the recorded information that is held it should come to a view on whether all, some or none of the information can be provided to the Applicant.  The Authority should then clearly set out on what basis under FOISA it is withholding any such information and communicate this to the Applicant in the form of a new review outcome.
  8. If the Authority, as it has indicated in its submissions, considers section 12 may be engaged, then it must be prepared to justify this and, as it has recognised, consider what advice and assistance might be provided to the Applicant to bring the request within the cost limit. 

Decision 

The Commissioner finds that the Authority failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant. 

Specifically, the Commissioner finds that the Authority failed to carry out adequate, proportionate searches for recorded information falling within the scope of the Applicant’s request.  The Authority also failed to provide the Commissioner with adequate submissions to allow him to determine whether any of the withheld information that had been identified as falling within scope was exempt under FOISA.    

The Commissioner therefore requires the Authority to carry out and document adequate, proportionate searches, and provide a new review outcome to the Applicant in terms of section 21 of FOISA, clearly explaining its position by 11 May 2026.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement 

If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Authority has failed to comply. The Court has the right to inquire into the matter and may deal with the Authority as if it had committed a contempt of court.

 

 

Euan McCulloch 

Head of Enforcement 

 

26 March 2026

  1. ^