Guidance

Toolkit 9: final outbreak investigation report

Published 21 January 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/communicable-disease-outbreak-management-guidance/toolkit-9-final-outbreak-investigation-report

The below is an outline of points to consider in the development of an outbreak investigation report.

Where an incident management team (IMT) has been established, members of the IMT may request an outbreak report. This is best practice where outbreak management has been complex, when the outbreak/incident report is likely to be requested as part of subsequent legal proceedings, when enforcement action has been taken, or where it is felt there is appropriate learning to be shared. Any outbreak report should ideally be agreed by all members of the IMT and completed within 12 weeks of the end of the formal closure of the outbreak response.

The report will usually be coordinated by the outbreak lead and should follow the format of an outbreak investigation report (see the structure of detailed outbreak report of this toolkit) and include a statement about the effectiveness of all aspects of outbreak management, alongside recommendations for the future. The final report should be comprehensive, protect confidentiality, and be circulated to appropriate individuals and authorities. Further legal considerations related to outbreak management and reports can be found in this toolkit. Publication in a peer-reviewed journal should be considered. The strengthening the reporting of observational studies in epidemiology (STROBE) statement provides guidance on what should be included in reports of observational studies submitted to peer-reviewed journals.

Where a full outbreak report is not deemed necessary the decision should be recorded by the IMT, and they should consider the production of a summary report.

Structure of detailed outbreak report

The below is a suggested structure which may be used to support the development of an outbreak report.

Title page

The title should contain at least the pathogen, location, and date. The name of authors and investigators with affiliations, including members of the IMT, should be listed.

Executive summary

This section should be concise and contain all key facts that describe what happened. The summary should provide an overview of the background, including, for example, how many people were affected, the severity of disease, which pathogen caused the outbreak, and which settings were affected. The summary should also include investigation methods, and results, approaches taken to outbreak control and any recommendations for preventing future outbreaks.

Introduction

This should contain a brief introduction to the outbreak, including details of how the outbreak was identified and initially investigated, and any immediate control measures taken.

Background

This should include a brief description of clinical features, incubation period, infectious dose, recognised sources and modes of spread, and case definitions (including how diagnoses were made). It should also provide the background prevalence of the disease locally, nationally, and globally, if relevant.

Incident coordination

This should include a statement about UKHSA incident response level and command structure, and the UKHSA incident commander and lead organisation. If relevant, the multi-agency or NHS incident response level should be stated.

Outbreak investigation methods

This section should provide an overview of investigation methods used, including:

  • epidemiological
    • descriptive: a description of initial cases and case definition, data collection methods, the epidemic curve, and hypothesis generation
    • analytical: an outline of the study design used (typically case control or cohort), selection of cases or controls, data collection methods, and statistical analyses performed
  • microbiological
    • an outline of samples taken, laboratories used, and the characterisation of isolates
  • environmental (including food chain analysis)
    • an outline of samples taken and risk assessments of production and distribution,
    • an outline of traceability investigations, analysis, food establishment investigations, enforcement strategies and approach
    • an outline of supply chain network investigation
    • description of methods of food investigation and coordination where applicable
  • veterinary
    • an outline of samples taken, risk assessments, and inspection undertaken

Results

The results section should present all the results from all the methods used, with analysis and interpretation of the data, this may include the following results:

  • epidemiological – essential to describe according to time, place, and person
  • microbiological
  • environmental
  • food or animal feed chain – including traceability investigation findings and food safety concerns and breaches, root cause analysis, signal and surveillance trends
  • veterinary

Control measures

This section should describe measures taken to control the outbreak, and how effective they were, for example:

  • overall coordination and management of the outbreak
  • management of cases
  • prevention of further cases (primary and secondary spread)
  • public and industry information
  • information dissemination, for example to professionals/businesses
  • outline of food safety interventions and control measures, infection control, health and safety, enforcement action, alert publications, root cause analysis
  • media response
  • international coordination

Discussion and conclusions

This section should describe:

  • the summary of the main findings
  • the validity of the data and possible sources of bias
  • interpretation of epidemiological and microbiological findings, including identification of populations or settings that experienced a disproportionate impact
  • justification for conclusions drawn and actions taken
  • assessment of the control measures implemented
  • explanation of action to protect public health
  • implications of actions taken on health inequalities
  • problems encountered
  • prevention strategies implemented

Recommendations

The outbreak report should include a summary of the insights and lessons identified and recommendations for any changes in policies, procedures, or guidance. The purpose of this is to:

  • prevent future outbreaks
  • improve surveillance and detection of outbreaks
  • improve the process of outbreak investigation and control
  • improve equity of future outbreak management

References

Appendices

Appendices might include:

  • chronology of events
  • details of risk assessments undertaken, including date and time
  • IMT details (members, terms of reference, roles and responsibilities, meeting dates)
  • detailed results
  • epidemiological or environmental questionnaires
  • food chain traceability maps
  • letters to patients/physicians
  • communication to food industry
  • press releases and food safety alerts published
  • costs of the outbreak, for example extra resources used or commissioned
  • acknowledgements

Circulation list

Final outbreak reports may be requested by third parties for use in legal proceedings (such as a prosecution or coroner’s inquest), or information contained therein requested as part of a freedom of information (FOI) request. It is therefore important that outbreak reports are written with this in mind.

Traditionally, outbreak reports have been written for the use of IMTs and may explore hypotheses and learning points. These may contain elements that are fundamental to the outbreak but may be inappropriate to make available for individual legal cases or publicly available in response to an FOI request. Such elements include named premises (which could lead to an action for defamation); case histories that may be deductively identifiable (even if anonymised); or lessons identified that may be inappropriately interpreted as admissions of errors by external parties. As such, the IMT and report authors should do the following when preparing the report.

  • proofread the document, use a date and version number and remember to take the word “draft” off the final document
  • consider whether further assurance through independent professional or expert scrutiny or peer review is needed by the authors
  • consider whether the conclusions are supported by evidence, and whether the conclusions and opinions would stand up to independent scrutiny
  • state who contributed what to the report and who signed the report off
  • clarify where evidence used in outbreak management came from, and who acted on this evidence
  • document the approach to report authorship. Organisations sometimes have overlapping roles and responsibilities. A report, mainly written by one author on behalf of a multi-agency group, may confuse the reader regarding the legal and professional responsibilities of individual incident responders. To promote a consistent understanding and avoid UKHSA being unnecessarily associated with an inappropriate or inadequate response, it is therefore important to document this

In the construction of outbreak reports, the IMT should consider:

  • the purpose of the report and who it is for. If there are lessons identified relating to the response of individual organisations to the outbreak, consideration should be given to including these in a separate report to be used internally, ensuring compliance with information governance requirements
  • the ownership of the report. If multi-agency sign-off procedure, ownership of copyright and responsibility for formal disclosures needs to be agreed
  • disclosure and publication of the report. Clear arrangements for formal and informal disclosure are needed. Agreement is required regarding where the report will be published and whether this will be in full. It is good practice to allow those affected by the report to see it in advance of publication
  • whether the publication of the report could prejudice any on-going or intended legal proceedings (such as a prosecution or coroner’s inquest) or other enforcement action being undertaken or considered by the local authority or other enforcement agency. Publication may need to be delayed until legal proceedings have been concluded
  • the identification of individuals, organisations, and businesses in the report. Where these are identified, consideration should be given to whether those featured are content with disclosure
  • legal and reputational risks around the report. If these are high, consideration should be given to increasing the scrutiny of the report and getting a legal opinion before publication

The IMT and report authors should also consider the legal requirements and implications of the report, including:

  • whether legal advice is required prior to signing off the report. This may be appropriate if it is known or suspected that the outbreak may be the subject of a civil or criminal prosecution, or if it is a high profile or high impact outbreak
  • if the report includes any material gained during the investigation which was NOT intended for disclosure/inclusion in a report (for example information from emails); which should be withheld or redacted (for example because it is personal, confidential or commercially sensitive) whether statements of fact or opinion; or that is defamatory
  • whether any material relevant to the subject of the document been omitted
  • whether there are any active or potential legal proceedings (such as a prosecution or coroner’s inquest) which could be affected by publication or disclosure of the report.
  • what has been agreed by the IMT in relation to supporting such legal proceedings, including disclosure to the court/Coroner’s Office
  • the likelihood of a regulation 28 report (to prevent future deaths) being issued by the coroner
  • whether there are other government bodies or departmental reports that conflict with the content of the UKHSA report, and therefore wider reputational and legal issues need to be considered
  • whether all local authority actions have been completed
  • whether there is agreement about what can be disclosed when and under what systems (for example request from individual/solicitor, FOI, or other statutory request)
  • whether any legislation precludes disclosure of any of the information in the report

Disclosure of outbreak reports

Removing ‘deductively identifiable’ patient information

It is generally accepted that information provided by ‘patients’ is provided in confidence and must be treated as such so long as it remains possible to identify the individual it relates to. This is an important point, as once information is effectively anonymised it is no longer confidential.

Effective anonymisation generally requires more than just the removal of name and address. Full postcode can enable identification of individuals, NHS number can be a strong identifier, and other information, for example date of birth, can also serve as an identifier, particularly if looked at in combination with other data items.

Preparing report for insurers or claimants

If UKHSA would not otherwise write an IMT report, then UKHSA is under no obligation to write a report simply because an insurer or claimant requests one. If the insurer or claimant wishes to instruct UKHSA to prepare an independent expert report (and potentially give such evidence at trial) and pay UKHSA an appropriate fee then, subject to any policy UKHSA may have in respect of such expert witness work, it is a matter for UKHSA whether it accepts or declines such instructions.

Similarly, if the insurer or claimant wants UKHSA to undertake further diagnostic tests or additional analyses which were not necessary for outbreak management purposes, UKHSA is under no obligation to do so. Subject to any policy UKHSA may have in relation to such tests/analyses, it is a matter for UKHSA whether it undertakes them and if so, on what basis, for example requiring the payment of an appropriate fee.

Public requests for outbreak reports under the Freedom of Information Act 2000

The Freedom of Information Act 2000 gives the public the right to request any information held by any type of public authority or by persons/organisations providing services for them. The public can request information held within things like minutes of meetings, work emails, work diaries, corporate reports, and other work documents. The information must be released unless an exemption applies and, where an exemption requires a public interest test to be carried out, the public interest favours withholding the information rather than in disclosing it.

The exemptions may include:

  • the applicant could easily obtain the requested information from elsewhere
  • the organisation already has published or has firm plans to publish the information
  • the information relates to confidential business information
  • the information relates to on-going legal or regulatory action

Personal data must not be disclosed under the Freedom of Information Act 2000 if it is personal data of an applicant or someone else and any of the following:

  • disclosure of it would contravene the data protection principles under data protection legislation
  • disclosure would contravene a valid objection to the processing of personal data
  • the data is exempt from the right of access under data protection legislation

Any request made under the Freedom of Information Act 2000 should be handled in accordance with established procedures, including consulting members of the IMT on the release of information.

FOI requests for clarifications relating to reports

Requests for clarification should be responded to, either pursuant to S.1 (1) of the Freedom of Information Act 2000 (complex clarification), or S.16 (1) of the act (straightforward clarification).

If UKHSA’s involvement in the management of the outbreak is over and a report has already been prepared by UKHSA, then generally no additional work will be required beyond disclosing the report and any documents referred to in the report. FOI does not require UKHSA to generate new information in response to requests.

If UKHSA does not respond to the request for clarification, then the applicant can initially appeal against the refusal internally and subsequently to the Information Commissioner.

Requests for information from third parties such as solicitors, the police or a coroner’s office are usually made under legislation relevant to the legal proceedings rather than the Freedom of Information Act 2000. Where personal data is involved, for example, a solicitor’s request for copies of questionnaires, exemptions under the Data Protection Act 2018 are typically relied on.

Competent Authorities (as defined in Schedule 7 of the Data Protection Act 2018), such as the police, government departments and local authorities, may request access to personal data for the purposes of:

  • the prevention or detection of crime
  • the apprehension or prosecution of offenders
  • the assessment or collection of a tax or duty or an imposition of a similar nature (Schedule 2, Part 1 (Paragraph 2) of the Data Protection Act 2018)
  • legal proceedings (including prospective legal proceedings)
  • obtaining legal advice
  • establishing, exercising, or defending legal rights (Schedule 2, Part 1 (Paragraph 5) of the Data Protection Act 2018)

The right of access to the information is not automatic. Public bodies should assess the merits of each request on a case-by-case basis and take the decision as to whether or not to apply the relevant exemption.

In addition to the requirements of data protection legislation, where the information requested includes confidential patient information (and patient consent has not been/cannot be obtained), a public interest disclosure test should be carried out: Confidentiality: NHS Code of Practice Supplementary Guidance on Public Interest Disclosures.

Third party request for information, received by UKHSA, should be passed to UKHSA’s information rights team via InformationRights@ukhsa.gov.uk

UK copyright law is set out in the Copyright, Designs and Patents Act 1988.

Copyright extends to literary works which will include reports the first owner of copyright will be the author (section 11(1) of the act).

Where a work is made by an employee in the course of their employment, the employer will be the first owner of copyright in the work, subject to any agreement to the contrary (section 11(2), of the act). The critical elements here are “employee” and work made “in the course of his employment”.

Where more than one person has created a work, the work may be classed as a work of joint authorship if the contribution of each author is not distinct from that of the other authors (section 10(1) of the act). If it is distinct, two or more separate works will exist.

Each person claiming authorship must have expended sufficient skill and labour to be classed as an author under the Copyright, Design and Patents Act 1988. In general, each joint author has the same rights as a sole author (except that licensing or assignment requires the consent of all joint authors), copyright will normally belong to the organisations who employ the authors.

If it is important for UKHSA to exercise sole rights (that is, to the exclusion of others) it needs to be the sole author, or the copyright of the other authors should be assigned or exclusively licensed to UKHSA.

If it is sufficient for UKHSA to be able to publish the report (alongside other organisations), it is sufficient for UKHSA to be a joint author to the entire report or to have a non-exclusive license to such parts of the report which are distinct from those written by UKHSA.

Back to top