Business Case I am writing to advise you that following a search of our paper and electronic records, I have established that the information you requested is not held by the NHS Business Services Authority. The spend and resource required for this initiative was not at the level which would require a business case. Mandate and Closure Report Please see this attached. Please note that the “Timeline of Opportunity” is blank as this section was not used. Please be aware that I have decided not to release details of all staff as this information falls under the exemption in section 40 subsections 2 and 3 (a) of the Freedom of Information Act. This is because it would breach the first data protection principle as: a) It is not fair to disclose these people’s personal details to the world and is likely to cause damage or distress to staff b) These details are not of sufficient interest to the public to warrant an intrusion into the privacy of those staff. Annex A at the end of this letter sets out the exemption in full. Analytical Methodology and Benefits Sheet Please see attached. The information supplied to you continues to be protected by the Copyright, Designs and Patents Act 1988 and is subject to NHSBSA copyright. This information is licenced under the terms of the Open Government Licence detailed at: http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/ Should you wish to re-use the information you must include the following statement: “Pacific, NHSBSA Copyright 2019” This information is licenced under the terms of the Open Government Licence: http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/ Failure to do so is a breach of the terms of the licence. Information you receive which is not subject to NHSBSA Copyright continues to be protected by the copyright of the person, or organisation, from which the information originated. Please obtain their permission before reproducing any third party (non NHSBSA Copyright) information. Annex A Section 40 - Personal information (1) Any information to which a request for information relates is exempt information if it constitutes personal data of which the applicant is the data subject. (2) Any information to which a request for information relates is also exempt information if - a. it constitutes personal data which does not fall within subsection (1), and b. the first, second or third condition below is satisfied. (3A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act— (a) would contravene any of the data protection principles, or (b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded. (3B) The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the GDPR (general processing: right to object to processing). (4A) The third condition is that— (a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018, or (b) on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section. (5A) The duty to confirm or deny does not arise in relation to information which is (or if it were held by the public authority would be) exempt information by virtue of subsection (1). (5B) The duty to confirm or deny does not arise in relation to other information if or to the extent that any of the following applies— (a) giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a)— (i) would (apart from this Act) contravene any of the data protection principles, or (ii) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded; (b) giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a) would (apart from this Act) contravene Article 21 of the GDPR (general processing: right to object to processing); (c) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for confirmation of whether personal data is being processed, the information would be withheld in reliance on a provision listed in subsection (4A)(a); (d) on a request under section 45(1)(a) of the Data Protection Act 2018 (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section (6) In this section— . “the data protection principles” means the principles set out in— (a) Article 5(1) of the GDPR, and (b) section 34(1) of the Data Protection Act 2018; “data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act); “the GDPR”, “personal data”, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4), (10), (11) and (14) of that Act). (7) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”