Paula Flanagan, Lead Case Officer at the Information Commissioner's Office, telephoned yesterday to discuss the outcome of her investigation into my complaint about Hampshire & IOW Healthcare Foundation Trust and their vexatious and cynical refusal to comply with my Access Records Requests. Paula's appraisal, highly critical of the handling of my request, was confirmed later the same day in a formal written 'Outcome Decision' letter received by email. That 'Outcome Decision' is published here in full.

For now...

Mark Stock

By email only to: ******************************* 15 April 2026 Case reference number: IC************

Dear Mark Stock

The Information Commissioner’s Office is writing to provide you with our outcome decision in relation to the data protection concerns you raised with us on 12 December 2025, about the way Hampshire and Isle of Wight Healthcare NHS Foundation Trust (‘HIOW Healthcare’) are handling your personal information.

Background to this complaint Briefly, you told us that you had been ‘requesting information, informally since Tuesday 24th June 2025 and formally, in writing, multiple times since 12th September 2025. The information I am currently requesting is communication between Gemma Stubbington, former Head of Nursing at HIOWH, and Susan Corley, Head of the Safeguarding Board, HIOWH, that details the advice given to refer me to the government’s counter-terrorism initiative, Prevent. The referral was closed by Prevent Referrals almost immediately after because the referral had no merit. I have also been in regular contact with the rights group, Prevent Watch, who have suggested the referral to have been unjustified. I have recently spoken to Dr Layla Aitlhadj, the Director of Prevent Watch, who recommended that I secure ALL relevant information from Prevent Referrals, Hampshire Police AND Records at HIOW Healthcare by the end of January 2026 so that she can pass my case to lawyers affiliated with Prevent Watch with a view to taking formal legal action. My complaint against HIOW Healthcare and the contentious referral of me to Prevent has been met with casual contempt, obstruction and time wasting. A cursory investigation resulted in the complaint being closed and an advisement that I take my complaint to the Parliamentary Health Service Ombudsman.’ For clarity, I should perhaps mention here that Prevent is part of the UK Government’s CONTEST counter-terrorism strategy and is designed to stop individuals from becoming terrorists or supporting terrorism by identifying vulnerabilities early and providing safeguarding-focused interventions. I also understand that Prevent operates through multi agency cooperation - including the NHS, police, local authorities, education providers and other safeguarding partners - and is underpinned by statutory duties set out in the Counter-Terrorism and Security Act 2015. As such, Prevent referrals are sensitive by nature, and decisions around handling associated personal data must be made with careful regard to the UK GDPR and the Data Protection Act 2018. We acknowledge that you made a subject access request (‘SAR’) to HIOW Healthcare, asking for a copy of personal information relating to a Prevent referral by the Trust. While we acknowledge the Trust’s willingness to engage constructively with us about this matter, we found that aspects of their SAR response(s) gave us concerns about their internal governance and data protection decision-making processes. These include:

1. Application of an incorrect exemption In the Trust’s initial response to us, they explained that they had relied on section 45(4)(b) of the Data Protection Act 2018, an exemption available only to competent authorities operating under Part 3 (law enforcement processing). When I asked the Trust to revisit their responses to you, they subsequently confirmed that it is not in fact a competent authority for these purposes and therefore could not rely on this exemption. The Trust have since withdrawn it. While we welcome the correction, the use of an exemption outside the organisation’s legal remit suggests that the Trust’s data protection processes and procedures were unlikely to be adequate at the time the response was issued.

2. Reliance on police instruction rather than a controller-led assessment Correspondence you have provided to us shows that the Trust applied the exemption in question following advice from the police. While we recognise that police insight is often necessary in Prevent-related matters, the responsibility for determining the appropriate exemption lies solely with the data controller, in this case, HIOW Healthcare. A controller cannot apply an exemption simply because another organisation instructs or advises it to do so. Decisions must always be grounded in the controller’s own assessment of necessity, proportionality and risk, supported by documented reasoning.

3. Subsequent amendment of exemptions Following our discussions with the Trust, they revised their position and applied exemptions under: • Schedule 2, Part 1, Paragraph 2(1)(a)–(c) DPA 2018 (crime and taxation), and • Schedule 2, Part 3, Paragraph 18 DPA 2018 (health, education and social work data). These exemptions may be appropriate in the context of Prevent-related safeguarding. Nonetheless, the need to withdraw and replace the original exemption suggests that HIOW Healthcare’s internal SAR processes and quality assurance processes require strengthening.

We wrote to HIOW Healthcare on 19 March and asked them to take steps to ensure they fully comply with the UK GDPR and DPA 2018 going forward. In our letter, we explained that we expect HIOW Healthcare to take the following steps:

a. Strengthen their exemption assessment processes HIOW Healthcare’s decisions to restrict access to personal information must be based on a well-evidenced, controller-led assessment addressing necessity, proportionality and the likelihood of prejudice or harm.

b. Improve internal governance and staff training We recommended that HIOW Healthcare review their subject access request processes, staff training, and oversight arrangements for high risk cases, including those involving safeguarding and Prevent referrals.

c. Ensure individuals receive sufficiently transparent responses.

d. Consider requesting an ICO audit

We explained to HIOW Healthcare that given the procedural issues identified, they may want to consider asking the ICO to carry out an independent assessment of its information governance framework. More information about requesting an ICO audit can be found on our website at www.ico.org.uk should you wish to read more about this.

In HIOW Healthcare’s most recent response to us they explained that they have:

• fully centralised all of their subject access requests;

• ensured that the centralised SAR team have undergone training on how to handle requests for PREVENT information;

• updated their internal exemption guidance around this matter; and

• confirmed their joint position with the police on PREVENT cases and exemptions.

Our decision in this case

We have carefully considered all the information we hold in relation to your complaint, together with the confirmation from HIOW Healthcare that they have taken steps to improve their overall data protection compliance. In particular, it should be noted that the Trust misapplied an exemption that was not available to them, failed to apply the correct legal framework at the outset, and did not carry out an adequate controller-led assessment of whether and how personal data could be lawfully withheld. These shortcomings mean that your subject access request was not handled in a compliant or robust manner. As a result of the Trust’s failures, we acknowledge that you continue to experience significant detriment and distress, including uncertainty and prolonged upset.

While we acknowledge that the Trust has engaged with us and provided assurances about steps taken to improve its processes going forward, we are recording an infringement outcome in your case.

We have made it clear when writing to the Trust with our infringement outcome decision that, going forward, they must ensure their decisions to restrict access to personal data are based on clear, well-evidenced and controller-led assessments that correctly demonstrate that the relevant legal framework and exemptions have been applied. We will retain a record of your complaint on our case management system for a minimum of two years and may periodically monitor the Trust’s data protection compliance to help ensure that appropriate improvements have been embedded and sustained. At this stage, we consider that this outcome is a proportionate regulatory response and we are not taking any further action in relation to your concerns at this time.

Taking your complaint to court Please be aware that as a regulator, our main role is to try and improve information rights practices where there is a significant opportunity for us to do so. However, you may have a right to an effective judicial remedy/right to compensation and liability. If you are seeking personal redress or compensation for the way an organisation has dealt with your personal information, you need to pursue this independently through the courts or with an industry's own ombudsman or regulatory body. We strongly recommend that you seek independent legal advice first.

We would like to thank you for taking the time to make us aware of this matter and we wish you all the best for the future.

Yours sincerely

Paula Flanagan Lead Case Officer Information Commissioner’s Office