Six Freedom of Information Requests. One Identical Refusal.
DHCW refused every FOI request this campaign has filed — not on substance, but on a technicality. They did not assess a single question. They did not disclose a single figure. They sent the same letter six times.
28 March 2026 · 9 min read
On 11 March 2026, this campaign filed six Freedom of Information requests. Five were directed at Digital Health and Care Wales. One was directed at the Welsh Government. The requests targeted programme costs, consultancy spending, procurement contracts, cyber security compliance, and total public funding — the basic financial questions that any organisation spending £78 million of public money per year should be able to answer.
On 20 March 2026 — nine days later — DHCW responded. Not with information. Not with a partial disclosure. Not with a considered exemption citing commercial sensitivity or national security. With a single letter, addressed to all five DHCW requests simultaneously, refusing to process any of them.
The reason: the requests were submitted under the name "CareNHS" rather than an individual's name.
The Letter
The response, signed by Marcus Sandberg, Information Governance Assurance Manager, cited Section 8(1)(b) of the Freedom of Information Act 2000, which states that a valid request must "state the name of the applicant." DHCW's position is that "CareNHS" is not a valid name, rendering all five requests technically invalid.
Download the full DHCW refusal letter (PDF)
The letter stated:
"In order for DHCW to process your request in line with your rights, please could we request that you provide a valid name to satisfy the requirements."
It continued:
"If we do not receive the information, then we will consider your requests to be withdrawn, and you will not receive a response."
The Welsh Government sent a separate but materially identical refusal for the sixth request.
Not one of the six requests was assessed on its merits. Not one figure was disclosed. Not one question was answered.
What Was Asked
These were not frivolous or vexatious requests. They targeted the most basic financial accountability questions about an organisation under the highest tier of government intervention:
| Request | What it asked |
|---|---|
| NDR Total Expenditure | How much has been spent on the National Data Resource — a programme whose costs have never been published? Employment Tribunal documents allege £60M+. |
| WPOCT Programme Costs | What is the scale of cyclical re-procurement waste — estimated at £20-28M per year across the portfolio? |
| Consultancy Engagements over £50K | DHCW declared only £757,000 in consultancy for 2023/24. Is the classification boundary hiding the true spend? |
| Channel 3 / Aire Logic / CGI / Kainos Contracts | What are the values and procurement routes for the NTA programme contracts? No competitive tender notices have been found on public procurement platforms. |
| Cyber Security Compliance | Does DHCW hold Cyber Essentials certification? Has it conducted penetration testing? These are binary yes/no questions for the organisation protecting the health data of three million people. |
| Total DHCW Funding by Programme | How much public money flows into DHCW each year, broken down by programme? The £50M digital health commitment from 2019 — how was it spent? |
Every one of these questions concerns public expenditure. Not personal data. Not commercial secrets. Public money, spent by a public body, on public programmes that are publicly failing.
What the ICO Says
The Information Commissioner's Office — the independent body responsible for upholding FOI law — has published clear guidance on exactly this situation.
The ICO acknowledges that a request under a pseudonym is "technically" non-compliant with Section 8(1)(b). But it goes significantly further:
"Where a public authority knows that a pseudonym has been used, as a matter of good practice it should still consider the request, for example where identity is not relevant and it is content to disclose the information requested."
The ICO's guidance emphasises several principles that DHCW's response appears to violate:
FOI operates on disclosure "to the world at large." Information released under FOI is not released to the requester personally — it is released to everyone. The requester's identity is therefore irrelevant to the disclosure decision. Whether the question comes from a campaign, a journalist, or a concerned citizen, the information is the same and the public interest is the same.
Public authorities should not routinely verify identities. The ICO's guidance states that authorities should accept names at face value and not conduct identity checks. The purpose of s.8(1)(b) is administrative — to enable correspondence — not to create an identity verification barrier.
The duty to advise and assist (Section 16). When a public authority believes a request is deficient, Section 16 of the Act requires it to advise the applicant and assist them in making a valid request. DHCW could have written back and said: "We'd like to process your requests — could you provide an individual's name?" Instead, it threatened that without a name the requests would be "considered to be withdrawn, and you will not receive a response."
Identity is only relevant in narrow exemption cases — such as Section 40 (personal data) or Section 14 (vexatious requests). None of these six requests involves personal data or meets any reasonable definition of vexatious. They are straightforward financial accountability questions.
The Pattern
This refusal does not exist in isolation. It sits within a documented pattern of behaviour by an organisation that has systematically resisted transparency at every level:
They block the website. DHCW blocks carenhs.org — this site — from NHS Wales network devices. Staff cannot read publicly sourced accountability reporting about their own employer.
They refuse the FOIs. When the campaign uses Freedom of Information law to obtain the data DHCW does not publish, DHCW refuses to engage with the substance of the requests.
They publish nothing voluntarily. Six of nine Level 3 programmes have never published any expenditure figure. Zero whistleblowing data. Zero disciplinary data. Zero leavers analysis. The identity of the independent digital expert overseeing DHCW has never been disclosed. The RISP radiology supplier — a £47-56M contract — has never been publicly named.
They threaten withdrawal. The letter does not merely refuse. It states that without a name, the requests will be treated as withdrawn. The message is clear: comply with our procedural requirement or lose your right to ask the question.
Block the website. Refuse the FOIs. Publish nothing. Threaten withdrawal. This is not a series of unrelated administrative decisions. It is the architecture of unaccountability in operation.
What Happens Next
We are taking two parallel actions:
1. Resubmission. All six requests are being resubmitted under an individual's real name, removing the s.8(1)(b) objection entirely. DHCW will then have 20 working days to respond to the substance of the requests. Any further refusal will require a substantive exemption — commercial sensitivity, cost limits, or another provision of the Act — not a procedural technicality. We will publish every response.
2. ICO complaint. We are filing a formal complaint with the Information Commissioner's Office about DHCW's handling of the original requests. The complaint will argue that DHCW failed to follow ICO good practice guidance, failed in its Section 16 duty to advise and assist, and used a blanket procedural refusal to avoid engaging with legitimate transparency requests about public expenditure by an organisation under the highest tier of government intervention.
The complaint creates a formal record. If DHCW attempts further obstruction tactics on the resubmitted requests — excessive time extensions, broad exemption claims, or a Section 14 vexatious designation — the ICO will have the context of an organisation that has already demonstrated a pattern of resistance to transparency.
The Question They Refused to Answer
The six requests, taken together, ask a single underlying question: what has the Welsh public received for the hundreds of millions of pounds invested in DHCW?
The CEO herself admitted in January 2026 that she cannot answer this question: "We don't have an ROI on all of our investments." The Senedd flagged the same problem in 2023, when DHCW described quantifying benefits as "quite a tricky question."
Now, when a citizen campaign uses the legal mechanisms designed to force transparency on public bodies, the organisation's response is not to answer the question. It is to refuse to engage with it.
If DHCW had nothing to hide, these requests would be easy to answer. Programme costs are tracked internally. Contract values are known. Cyber compliance is either certified or it is not. The decision not to disclose this information — first by not publishing it, then by refusing FOI requests for it — is a choice. And choices have consequences.
Right of Reply: DHCW was invited to respond prior to publication. No response has been received.
Source Note
The DHCW refusal letter (dated 20 March 2026, signed by Marcus Sandberg, Information Governance Assurance Manager) is published in full on WhatDoTheyKnow. ICO guidance on Section 8 is published at ico.org.uk. The six FOI requests and all responses are publicly visible on WhatDoTheyKnow.
What You Can Do
This evidence exists because someone looked. You can help make sure it leads to change:
- Write to your MS — ask why DHCW refuses to disclose how it spends public money
- Share this page — the more people who see this evidence, the harder it is to ignore
- Submit what you know — if you have evidence of waste, misconduct, or the suppression of concerns
- Support the FOI campaign — 54 Freedom of Information requests targeting DHCW's hidden data
Related pages:
- FOI Tracker — all 54 requests, statuses, and responses
- What They Don't Publish — the data DHCW keeps hidden
- What They Don't Publish — the full architecture of unaccountability, including website blocking
- Financial Waste — the spending they refuse to disclose