Category Archives: Privacy

Police building register of domestic CCTV for crime investigation purposes?

This is a flyer apparently being distributed by Thames Valley Police (TVP).

flyer

It invites householders who have private CCTV systems to register with TVP, who want to use those systems “in order to assist us in future investigations”.

Surveillance camera footage can undoubtedly be of great use in the investigation and prosecution of crime. But there is a potential problem for householders who decided to register with TVP, and I’d be interested to know if the latter have taken this into account.

The problem is this: CCTV cameras involve the processing of data, and where they capture images of identifiable individuals, it is personal data that they are processing. Purely domestic processing of personal data is exempt from all of the obligations under the Data Protection Act 1998, but when the processing is no longer purely for domestic purposes, then legal obligations potentially attach themselves to those doing the processing. The Information Commissioner’s Office (ICO) CCTV Code of Practice (both the current 2008 version and an updated version currently in draft) explains

The use of cameras for limited household purposes is exempt from the DPA. This applies where an individual uses CCTV to protect their home from burglary, even if the camera overlooks the street or other areas near their home

But the corollary of this is that if its use is not purely for the “household purposes” of protecting one’s home from bulgary, then the exemption no longer applies. If householders are determining that the purpose for which they will process personal data is to assist TVP in criminal investigations, then they are data controllers.

This can’t simply be TVP wanting a register of CCTV-operating households to assist them if a crime happens on those specific premises, because that would be pointless: in those circumstances the householder would draw the footage to the police’s attention. No, this must be that TVP want to be able to access footage of relevant incidents outwith the individual household. 

I’ve asked TVP if they have any policy statement or guidelines on this initiative, and will update as and when they reply.

1 Comment

Filed under Data Protection, police, Privacy, surveillance, surveillance commissioner

Privacy issues with Labour Party website

Two days ago I wrote about a page on the Labour Party website which was getting considerable social media coverage. It encourages people to submit their date of birth to find out, approximately, of all the births under the NHS, what number they were.

I was concerned that it was grabbing email address without an opt-out option. Since then, I’ve been making a nuisance of myself asking, via twitter, various Labour politicians and activists for their comments. I know I’m an unimportant blogger, and it was the weekend, but only one chose to reply: councillor for Lewisham Mike Harris, who, as campaign director for DontSpyOnUs, I would expect to be concerned, and, indeed, to his credit, he said “You make a fair point, there should be the ability to opt out”. Mike suggested I email Labour’s compliance team.

In the interim I’d noticed that elsewhere on the Labour website there were other examples of emails being grabbed in circumstances where people would not be sure about the collection. For instance: this “calculator” which purports to calculate how much less people would pay under Labour for energy bills, which gives no privacy notice whatsoever. Or even this, on the home page, which similarly gives no information about what will happen with your data

homepage

Now, some might say that, if you’re giving your details to “get involved”, then you are consenting to further contact. This is probably true, but it doesn’t mean the practice is properly compliant with data collection laws. And this is not unimportant; as well as potentially contributing to the global spam problem, poor privacy notices/lack of opt-out facilities at the point of collection of email address contribute to the unnecessary amassing of private information, and when it is done by a political party, this can even be dangerous. It should not need pointing out that, historically, and elsewhere in the world, political party lists have often been used by opposition parties and repressive governments to target and oppress activists. Indeed, the presence of one’s email on a party marketing database might well constitute sensitive personal data – as it can be construed as information on one’s political opinions (per section 2 of the Data Protection Act 1998).

So, these are not unimportant issues, and I decided to follow Mike Harris’s suggestion to email Labour’s compliance unit. However, the contact details I found on the overarching privacy policy merely gave a postal address. I did notice though that that page said

If you have any questions about our privacy policy, the information we have collected from you online, the practices of this site or your interaction with this website, please contact us by clicking here

But if I follow the “clicking here” link, it takes me to – wait for it – a contact form which gives no information whatsoever about what will happen if I submit it, other than the rather stalinesque

The Labour Party may contact you using the information you supply

And returning to the overarching privacy policy didn’t assist here – none of the categories on that page fitted the circumstances of someone contacting the party to make a general enquiry.

I see that the mainstream media have been covering the NHS birth page which originally prompted me to look at this issue. Some, like the Metro, and unsurprisingly, the Mirror, are wholly uncritical. The Independent does note that it is a clever way of harvesting emails, but fails to note the questionable legality of the practice. Given that this means that more and more email addresses will be hoovered up, without people fully understanding why, and what will happen with them, I really think that senior party figures, and the Information Commissioner, should start looking at Labour’s online privacy activities.

(By the way, if anyone thinks this is a politically-motivated post by me, I would point out that, until 2010, when I voted tactically (never again), I had only ever voted for one party in my whole life, and that wasn’t the Conservatives or the Lib Dems.)

6 Comments

Filed under Data Protection, Information Commissioner, marketing, PECR, Privacy, privacy notice, social media, tracking

DVLA, disability and personal data

Is the DVLA’s online vehicle-checker risking the exposure of sensitive personal data of registered keepers of vehicles?

The concept of “personal data”, in the Data Protection Act 1998 (DPA) (and, beyond, in the European Data Protection Directive EC/95/46) can be a slippery one. In some cases, as the Court of Appeal recognised in Edem v The Information Commissioner & Anor [2014] EWCA Civ 92 where it had to untangle a mess that the First-tier tribunal had unnecessarily got itself into, it is straightforward: someone’s name is their personal data. In other cases, especially those which engage the second limb of the definition in section 1(1) of the DPA (“[can be identified] from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller” it can be profoundly complex (see the House of Lords in Common Services Agency v Scottish Information Commissioner (Scotland) [2008] UKHL 47, a judgment which, six years on, still makes data protection practitioners wake up in the night screaming).

When I first looked at the reports that the DVLA’s Vehicle Tax Check service enabled people to see whether the registered owner of a car was disabled, I thought this might fall into the complex category of data protection issues. On reflection, I think it’s relatively straightforward.

I adopt the excellent analysis by the benefitsandwork.co.uk site

A new vehicle check service on the DVLA website allows visitors to find out whether their neighbours are receiving the higher rate of the mobility component of disability living allowance (DLA) or either rate of the mobility component of personal independence payment (PIP)…The information that DVLA are making available is not about the vehicle itself. Instead they are publishing personal information about the benefits received by the individual who currently owns the car or for whom the car is solely used.

It’s difficult to argue against this, although it appears the DVLA are trying, because they responded to the initial post by saying

The Vehicle Enquiry Service does not include any personal data. It allows people to check online what information DVLA holds about a vehicle, including details of the vehicle’s tax class to make sure that local authorities and parking companies do not inadvertently issue parking penalties where parking concessions apply. There is no data breach – the information on a vehicle’s tax class that is displayed on the Vehicle Enquiry Service does not constitute personal data. It is merely a descriptive word for a tax class

but, as benefitsandwork say, that is only true insofar as the DVLA are publishing the tax band of the car, but when they are publishing that the car belongs to a tax-exempt category for reasons of the owner’s disability, they are publishing something about the registered keeper (or someone they care for, or regularly drive), and that is sensitive personal data.

What DVLA is doing is not publishing the car’s tax class – that remains the same whoever the owner is – they are publishing details of the exempt status of the individual who currently owns it. That is personal data about the individual, not data about the vehicle

As the Information Commissioner’s guidance (commended by Moses LJ in Edem) says

Is the data being processed, or could it easily be processed, to: learn; record; or decide something about an identifiable individual, or; as an incidental consequence of the processing, either: could you learn or record something about an identifiable individual; or could the processing have an impact on, or affect, an identifiable individual

Ultimately benefitsandwork’s example (where someone was identified from this information) unavoidably shows that the information can be personal data: if someone can search the registration number of a neighbour’s car, and find out that the registered keeper is exempt from paying the road fund licence for reasons of disability, that information will be the neighbour’s personal data, and it will have been disclosed to them unfairly, and in breach of the DPA (because no condition for the disclosure in Schedule 3 exists).

I hope the DVLA will rethink.

 

11 Comments

Filed under Confidentiality, Data Protection, Directive 95/46/EC, disability, Information Commissioner, Privacy

Google is not a library, Dr Cavoukian

The outgoing Ontario Information and Privacy Commissioner Ann Cavoukian, whose time in office has been hugely, and globally, influential (see in particular Privacy by Design) has co-written (with Christopher Wolf) an article strongly criticising the judgment of the Court of Justice of the European Union (CJEU) in the Google Spain case.

For anyone who has been in the wilderness for the last few weeks, in Google Spain the CJEU ruled that Google Spain, as a subsidiary of Google inc. operating on Spanish territory, was covered by the obligations of the European Data Protection Directive 95/46/EC, that it was operating as an entity that processed personal data in the capacity of a data controller, and that it was accordingly required to consider applications from data subjects for removal of search returns. Thus, what is loosely called a “right to be forgotten” is seen already to exist in the current data protection regime.

Many have written on this landmark CJEU ruling (I commend in particular Dr David Erdos’s take, on the UK Constitutional Law Blog) and I am not here going to go into any great detail, but what I did take issue with in the Cavoukian and Wolf piece was the figurative comparison of Google with a public library:

A man walks into a library. He asks to see the librarian. He tells the librarian there is a book on the shelves of the library that contains truthful, historical information about his past conduct, but he says he is a changed man now and the book is no longer relevant. He insists that any reference in the library’s card catalog and electronic indexing system associating him with the book be removed, or he will go to the authorities…

…The government agent threatens to fine or jail the librarian if he does not comply with the man’s request to remove the reference to the unflattering book in the library’s indexing system.

Is this a scenario out of George Orwell’s Nineteen Eighty-Four? No, this is the logical extension of a recent ruling from Europe’s highest court

(I pause briefly to say that if I never see another reference to Orwell in the context of privacy debate I will die a happy man).

I’m fond of analogies but Cavoukian’s and Wolf’s one (or maybe it’s a metaphor?) is facile. I think it could more accurately say

A man walks into a library. He sees that, once again, the library has chosen, because of how it organises its profit-making activities, to give great prominence to a book which contains information about his past conduct, which is no longer relevant, and which it is unfair to highlight. He asks them to give less prominence to it.

Cavoukian and Wolf accept that there should be a right to remove “illegal defamatory” content if someone posts it online, but feel that the issue of links to “unflattering, but accurate” information should be explored using “other solutions”. (I pause again to note that “unflattering” is an odd and loaded word to use here: Mr Gonzalez, in the Google Spain case, was concerned about out-of-date information about bankruptcy, and other people who might want to exercise a right to removal of links might be concerned by much worse than “unflattering” information).

I don’t disagree that other solutions should be explored to the issue of the persistence or reemergence of old information which data subjects reasonably no longer wish to be known, but people are entitled to use the laws which exist to pursue their aims, and the application by the CJEU of data protection law to the issues pleaded was, to an extent, uncontroversial (is Google a data controller? if it is, what are its obligations to respect a request to desist from processing?)

Cavoukian and Wolf criticise the CJEU for failing to provide sufficient instruction on how “the right to be forgotten” should be applied, and for failing to consider whether “online actors other than search engines have a duty to ‘scrub’ the Internet of unflattering yet truthful facts”, but a court can only consider the issues pleaded before it, and these weren’t. Where I do agree with them is in their criticism of the apparent failure by the CJEU, when giving effect to the privacy rights in Article 8 of the European Convention on Human Rights, and Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, to consider adequately, if at all, the countervailing rights to freedom of expression in Article 10 of the former and Article 11 of the latter. In this respect, the prior Opinion of the Advocate General was perhaps to be preferred.

The key word in my replacement library ananolgy above is “chosen”. Google is not a passive and inert indexing system. Rather, it is a dynamic and commercially-driven system which uses complex algorithms to determine which results appear against which search terms. It already exercises editorial control over results, and will remove some which it is satisfied are clearly unlawful or which constitute civil wrongs such as breach of copyright. Is it so wrong that (if it gives appropriate weight to the (sometimes) competing considerations of privacy and freedom of expression) it should be required to consider a request to remove unfair and outdated private information?

 

 

2 Comments

Filed under Data Protection, Directive 95/46/EC, Europe, human rights, Privacy

The Partridge Review reveals apparently huge data protection breaches

Does the Partridge Review of NHS transfers of hospital episode patient data point towards one of the biggest DPA breaches ever?

In February this year Tim Kelsey, NHS England’s National Director for Patients and Information, and vocal cheerleader for the care.data initiative, assured the public, in an interview on the Radio 4 Today programme, that in the twenty five years that Hospital Episode Statistics (HES) have been shared with other organisations

the management of the hospital episode database…there has never been a single example of that data being compromised, the privacy of patients being compromised…

When pressed by medConfidential‘s Phil Booth about this, and about risks of reidentification from the datasets, Tim repeated that no patient’s privacy had been compromised.

Some of us doubted this, as news of specific incidents of data loss emerged, and even more so as further news emerged suggesting that there had been transfers (a.k.a. sale) of huge amounts of potentially identifiable patient data to, for instance, the Institute and Faculty of Actuaries. The latter news led me to ask the Information Commissioner’s Office (ICO) to assess the lawfulness of this processing, an assessment which has not been completed four months later.

However, with the publication on 17 June of Sir Nick Partridge’s Review of Data Releases by the NHS Information Centre one questions the basis for Tim’s assertions. Sir Nick commissioned PwC to analyse a total of 3059 data releases between 2005 and 2013 (when the NHS Information Centre (NHSIC) ceased to exist, and was replaced by the Health and Social Care Information Centre HSCIC). The summary report to the Review says that

It disappoints me to report that the review has discovered lapses in the strict arrangements that were supposed to be in place to ensure that people’s personal data would never be used improperly

and it reveals a series of concerning and serious failures of data governance, including

  • lack of detailed records between 1 April 2005 and 31 March 2009
  • two cases of data that was apparently released without a proper record remaining of which organisation received the data
  • [no] evidence that Northgate [the NHSIC contractor responsible for releases] got permission from the NHS IC before making releases as it was supposed to do
  • PwC could not find records to confirm full compliance in about 10% of the sample

 Sir Nick observes that

 the system did not have the checks and balances needed to ensure that the appropriate authority was always in place before data was released. In many cases the decision making process was unclear and the records of decisions are incomplete.

and crucially

It also seems clear that the responsibilities of becoming a data controller, something that happens as soon as an organisation receives data under a data sharing agreement, were not always clear to those who received data. The importance of data controllers understanding their responsibilities remains vital to the protection of people’s confidentiality

(This resonates with my concern, in my request to the ICO to assess the transfer of data from HES to the actuarial society, about what the legal basis was for the latter’s processing).

Notably, Sir Nick dispenses with the idea that data such as HES was anonymised:

The data provided to these other organisations under data sharing agreements is not anonymised. Although names and addresses are normally removed, it is possible that the identity of individuals may be deduced if the data is linked to other data

 And if it was not anonymised, then the Data Protection Act 1998 (DPA) is engaged.

All of this indicates a failure to take appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data, which the perspicacious among you will identify as one of the key statutory obligations placed on data controllers by the seventh data protection principle in the DPA.

Sir Nick may say

 It is a matter of fact that no individual ever complained that their confidentiality had been breached as a result of data being shared or lost by the NHS IC

but simply because no complaint was made (at the time – complaints certainly have been made since concerns started to be raised) does not mean that the seventh principle was not contravened, in a serious way.  And a serious contravention of the DPA of a kind likely to cause substantial damage or substantial distress can potentially lead to the ICO serving a monetary penalty notice (MPN) to a maximum of £500,000 (at least for contraventions after April 2010, when the ICO’s powers commenced).

The NHSIC is no more (although as Sir Nick says, HSCIC “inherited many of the NHS IC’s staff and procedures”). But that has not stopped the ICO serving MPNs on successor organisation in circumstances where their predecessors committed the contravention.  One waits with interest to see whether the ICO will take any enforcement action, but I think it’s important that they consider doing so, because, even though Sir Nick makes nine very sensible recommendations to HSCIC, one could be forgiven – having been given clear assurances previously, by the likes of Tim Kelsey and others – for having reservations as to future governance of our confidential medical data. I would suggest it is imperative that HSCIC know that their processing of personal data is now subject to close oversight by all relevant regulatory bodies.

 

 

 

 

 

 

 

 

 

2 Comments

Filed under care.data, Confidentiality, Data Protection, data sharing, Information Commissioner, monetary penalty notice, NHS, Privacy

Right now, you are being monitored

This morning, as I was leaving the house for work, I wanted to check the weather forecast so started tapping and swiping away at my newish iPhone to find the weather screen. I was startled to see some text appear which said

Right now, it would take you about 11 minutes to drive to [workplace address]

(It looked a bit like this (not my phone I stress)).

It was correct, it would indeed take me about that long to drive to work at that time, but I was genuinely taken aback. After a bit of research I see that this was a new feature in iOS7, (and, indeed, the weather widget was lost at the same time). Sure enough, I find that my new phone has been logging frequently visited locations, but must have also been logging the fact that I travel between A (home) and B (work) frequently. It is described by Apple as being a way to

Allow your iPhone to learn places you frequently visit in order to provide useful location-related information

I’m not going to argue whether this is a useful service or not, or even whether on general principles it is concerning or not. What I am going to say is that, because I’ve not had much time recently to sit down and learn about my new phone, to customise it in the most privacy-friendly way, I’ve been saddled with a default setting which has captured an extraordinarily accurate dataset about my travel habits without my knowledge. And yes, I know that tracking is a prerequisite of mobile phone functionality, but I would just rather it was, as default, limited to the bare minimum. 

p.s. to turn off this default setting, navigate to Settings/Privacy/Location Services [scroll to very bottom]/System Services/Frequent Locations and set to “off”

 

Leave a comment

Filed under Data Protection, interception, Privacy, surveillance, tracking

Data Protection for Baddies

Should Chris Packham’s admirable attempts to expose the cruelties of hunting in Malta be restrained by data protection law? And who is protected by the data protection exemption for journalism?

I tend sometimes to lack conviction, but one thing I am pretty clear about is that I am not on the side of people who indiscriminately shoot millions of birds, and whose spokesman tries to attack someone by mocking their well-documented mental health problems. So, when I hear that the FNKF, the Maltese “Federation for Hunting and Conservation” has

presented a judicial protest against the [Maltese] Commissioner of Police and the Commissioner for Data Protection, for allegedly not intervening in “contemplated” or possible breaches of privacy rules

with the claim being that they have failed to take action to prevent

BBC Springwatch presenter Chris Packham [from] violating hunters’ privacy by “planning to enter hunters’ private property” and by posting his video documentary on YouTube, which would involve filming them without their consent

My first thought is that this is an outrageous attempt to manipulate European privacy and data protection laws to try to prevent legitimate scruting of activities which sections of society find offensive and unacceptable. It’s my first thought, and my lasting one, but it does throw some interesting light on how such laws can potentially be used to advance or support causes which might not be morally or ethically attractive. (Thus it was that, in 2009, a former BNP member was prosecuted under section 55 the UK Data Protection Act 1998 (DPA 1998) for publishing a list of party members on the internet. Those members, however reprehensible their views or actions, had had their sensitive personal data unlawfully processed, and attracted the protection of the DPA (although the derisory £200 fine the offender received barely served as a deterrent)).

I do not profess to being an expert in Maltese Data Protection law, but, as a member state of the European Union, Malta was obliged to implement Directive EC/95/46 on the Protection of Individuals with regard to the Processing of Personal Data (which it did in its Data Protection Act of 2001). The Directive is the bedrock of all European data protection law, generally containing minimum standards which member states must implement in domestic law, but often allowing them to legislate beyond those minimum standards.

It may well be that the activities of Chris Packham et al do engage Maltese data protection law. In fact, if, for instance, film footage or other information which identifies individuals is recorded and broadcast in other countries in the European Union, it would be likely to constitute an act of “processing” under Article 2(b) of the Directive which would engage data protection law in whichever member state it was processed.

Data protection law at European level has a scope whose potential breadth has been described as “breath-taking”. “Personal data” is “any information relating to an identified or identifiable natural person” (that is “one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”), and “processing” encompasses “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction”.

However, the broad scope does not necessarily means broad prohibitions on activities involving processing. Personal data must be processed “fairly and lawfully”, and can (broadly) be processed without the data subject’s consent in circumstances where there is a legal obligation to do so, or where it is necessary in the public interest, or necessary where the legitimate interests of the person processing it, or of a third party, outweigh the interests for fundamental rights and freedoms of the data subject. These legitimising conditions are implemented into the Maltese Data Protection Act 2001 (at section 9), so it can be seen that the FKNF’s claim that Packham requires the hunters’ consent to film might not have legs.

Moreover, Article 9 of the Directive, transposed in part at section 6 of the 2001 Maltese Act, provides for an exemption to most of the general data protection obligations where the processing is for journalistic purposes, which almost certainly be engaged for Packham’s activities. Whether, however, any other Maltese laws might apply is, I’m afraid, well outside my area of knowledge.

But what about activists who might not normally operate under the banner of “journalism”? What if Packham were, rather than a BBC journalist/presenter, “only” a naturalist? Would he be able to claim the journalistic data protection exemption?

Some of these sorts of issues are currently edging towards trial in litigation brought in the UK, under the DPA 1998, by a mining corporation (or, in its own words, a “diversified natural resources business”), BSG Resources, against Global Witness, an NGO one of whose stated goals is to “expose the corrupt exploitation of natural resources and international trade systems”. BSGR’s claims are several, but are all made under the DPA 1998, and derive from the fact they have sought to make subject access requests to Global Witness to know what personal data of the BSGR claimants is being processed, for what purposes and to whom it is being or may be disclosed. Notably, BSGR have chosen to upload their grounds of claim for all to see. For more background on this see the ever-excellent Panopticon blog, and this article in The Economist.

This strikes me as a potentially hugely significant case, firstly because it illustrates how data protection is increasingly being used to litigate matters more traditionally seen as being in the area of defamation law, or the tort of misuse of private information, but secondly because it goes to the heart of questions about what journalism is, who journalists are and what legal protection (and obligations) those who don’t fit the traditional model/definition of journalism have or can claim.

I plan to blog in more detail on this case in due course, but for the time being I want to make an observation. Those who know me will not have too much trouble guessing on whose side my sympathies would tend to fall in the BSGR/Global Witness litigation, but I am not so sure how I would feel about extending journalism privileges to, say, an extremist group who were researching the activities of their opponents with a view to publishing those opponents’ (sensitive) personal data on the internet. If society wishes to extend the scope of protection traditionally afforded to journalists to political activists, or citizen bloggers, or tweeters, it needs to be very careful that it understands the implications of doing so. Freedom of expression and privacy rights coexist in a complex relationship, which ideally should be an evenly balanced one. Restricting the scope of data protection law, by extending the scope of the exemption for journalistic activities, could upset that balance.

7 Comments

Filed under Data Protection, Europe, human rights, journalism, Privacy, Uncategorized

A balanced view on Optic Nerve

As I’m keen always to take a balanced view of important privacy issues, and not descend into the sort of paranoid raving which always defines, say, the state as the enemy, capable of almost anything, I sometimes think I end up being a bit naive, or at least having naive moments.

So, when outgoing Chair of Ofcom Dame Colette Bowe recently gave evidence to the House of Lords Select Committee on Communications, and said about consumers that

their smart TV may well have a camera and a microphone embedded in it there in their living room. What is that smart TV doing? Do people realise that this is a two-way street?

I thought for a moment “Oh come on, don’t be so scaremongering”. Sure, we saw the stories about Smart TVs and cookies, which is certainly an important privacy issue, but the idea that someone would use your TV to spy on you…?!

And then, of course, I quickly remembered – with a feeling of nausea – that that is exactly the sort of thing that GCHQ are alleged to have done, by jumping on the unencrypted web cam streams of Yahoo users, as part of the Optic Nerve program. And each time I remember this, it makes me want to scream “THEY WERE INDISCRIMINATELY SPYING ON PEOPLE…IN THEIR HOMES, IN THEIR BEDROOMS, FOR ****’S SAKE!”

And they were doing it just because they could. Because they’d notice a way – a vulnerability – and taken advantage of it to slurp masses of intensely private data, just in case it might prove useful in the future.

The intrusion, the prurience, the violation do indeed make me feel like raving against the state and its agents who, either through direct approval, or tacit acceptance, or negligence, allowed this to happen. Although *balance alert* GCHQ do, of course, assure us that “GCHQ insists all of its activities are necessary, proportionate, and in accordance with UK law”. So that’s OK. And yes, they really did call it “proportionate”. 

I know the web cam grabbing was by no means the only such intrusion, but for me it exemplifies the “something” which went wrong, at some point, which led to this. I don’t know what that something was, or even how to fix it, and I’ve never used a web cam, so have no direct interest, but I will closely watch the progress of Simon Davies’ request for the Attorney General to refer the matter to the police.

Leave a comment

Filed under Confidentiality, Data Protection, human rights, interception, Privacy, RIPA, surveillance

Sale of patient data – time for an independent review?

The Sunday Times reports that a billion patient records have been sold to a marketing consultancy. Is it time for an independent review of these highly questionable data sharing practices?

In 2012, at the behest of the then Secretary of State for Health, Andrew Lansley (driver of the Health and Social Care Act 2012), Dame Fiona Caldicott chaired a review of information governance in the NHS. Her report, which focused on the issue of sharing of information, was published in April 2013. At the time a statement in it, referring to the Information Commissioner’s Office (ICO) stood out to me, and it stands out even more now, but for different reasons. It says

The ICO told the Review Panel that no civil monetary penalties have been served for a breach of the Data Protection Act due to formal data sharing between data controllers in any organisation for any purpose

At the time, I thought “Well duh” – of course the ICO is not going to take enforcement action where there has been a formal data sharing agreement, because, clearly, the parties entering into such an agreement are going to make sure they do so lawfully, and with regard to the ICO guidance on data sharing – lawful and proportionate data sharing is, er, lawful, so the ICO wouldn’t be able to take action.

But now, with the frequent and worrying stories emerging of apparent data sharing arrangements between the NHS Information Centre (NHSIC), and its successor, the Health and Social Care Information Centre (HSCIC), I start to think the ICO’s comments are remarkable for what they might reveal about them looking in the wrong direction, when they should have been paying more attention to the lawfulness of huge scale data sharing arrangements between the NHS and private bodies. And now, The Sunday Times reports that

A BILLION NHS records containing details of patients’ hospital admissions and operations have been sold to a marketing consultancy working for some of the world’s biggest drug companies

I think it is time for a wholesale review, properly funded, by the ICO as independent regulator, of these “formal data sharing” arrangements. They appear to have a questionable legal basis, based to a large extent on questionable assumptions and assurances that pseudonymisation equates to anonymisation (which anyone who looks into will realise is nonsense).

And I think the review should also consider how and why these arrangements appear to have deliberately been taking place behind the backs of the patients whose data has been “shared”.

Leave a comment

Filed under care.data, Data Protection, data sharing, Information Commissioner, monetary penalty notice, NHS, Privacy

Hospital records sold to insurance companies – in breach of the Data Protection Act?

I’ve asked the ICO to assess whether the sale of millions of health records to insurance companies so that they could “refine” their premiums was compliant with the law

I’m about to disclose some sensitive personal data: I have been to hospital a few times over recent years…along with 47 million other people, whose records from these visits, according to reports in the media, were sold to an actuarial society for insurance premium purposes. The Telegraph reports

a report by a major UK insurance society discloses that it was able to obtain 13 years of hospital data – covering 47 million patients – in order to help companies “refine” their premiums.

As a result they recommended an increase in the costs of policies for thousands of customers last year. The report by the Staple Inn Actuarial Society – a major organisation for UK insurers – details how it was able to use NHS data covering all hospital in-patient stays between 1997 and 2010 to track the medical histories of patients, identified by date of birth and postcode.

I don’t know if this use of my sensitive personal data (if it was indeed my personal data) was in compliance with the Data Protection Act 1998 (DPA), although sadly I suspect that it was, but section 42 of the DPA allows a data subject to request the Information Commissioner to make an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of the DPA. So that’s what I’ve done:

Hi

As a data subject with a number of hospital episodes over recent years I am disturbed to hear that the Hospital Episode Statistics (HES) of potentially 47 million patients were disclosed to Staple Inn Actuarial Society (SIAS), apparently for the purposes of helping insurance companies “refine” their premiums. I became aware of this through reports in the media (e.g. http://www.telegraph.co.uk/health/healthnews/10656893/Hospital-records-of-all-NHS-patients-sold-to-insurers.html). I am asking, pursuant to my right under section 42 of the Data Protection Act 1998, the ICO to assess whether various parts of this process were in compliance with the relevant data controllers’ obligations under the DPA:

1) I was not aware, until relatively recently, that HESs were provided to the HSCIC – was this disclosure by hospitals compliant with their DPA obligations?

2) Was the general processing (e.g. retention, manipulation, anonymisation, pseudonymisation) of this personal data compliant with HSCIC’s or, to the extent that HSCIC is a data processor to NHS England’s data controller, NHS England’s DPA obligations?

3) Was the disclosure of what appears to have been sensitive personal data (I note the broad definition of “personal data”, and your own guidance on anonymisation) to SIAS compliant with HSCIC’s (or NHS England’s) DPA obligations

4) Was SIAS’s subsequent processing of this sensitive personal data compliant with its DPA obligations?

You will appreciate that I do not have access to some information, so it may be that when I refer to HSCIC or NHS England or SIAS I should refer to predecessor organisations.

Please let me know if you need any further information to make this assessment.

with best wishes, Jon Baines

We’ve been told on a number of occasions recently that we shouldn’t be worried about our GP records being uploaded to HSCIC under the care.data initiative, because our hospital records have been used in this way for so long. Clare Gerada, former Chair of the Council of the Royal College of General Practitioners wrote in the BMJ that

for 25 years, hospital data have been handled securely with a suite of legal safeguards to protect confidentiality—the exact same safeguards that will continue to be applied when primary care data are added

Well, it seems to me that those legal safeguards might have failed to prevent (indeed, might have actively permitted) a breach involving 47 million records. I’m very interested to know what the Information Commissioner’s assessment will be.

UPDATE: 24 February 2014

An ICO spokesperson later said:

“We’re aware of this story, and will be gathering more information – specifically around whether the information had been anonymised – before deciding what action to take.”

UPDATE: 25 February 2014

At the Health Select Committee hearing into the care.data initiative HSCIC and NHS England representatives appeared not to know much about what data was disclosed, and in what circumstances, and effectively blamed NHSIC as a predecessor organisation. This echoed the statement from HSCIC the previous evening

The HSCIC believes greater scrutiny should have been applied by our predecessor body prior to an instance where data was shared with an actuarial society

UPDATE: 27 February 2014

GP and Clinical Lecturer Anne Marie Cunningham has an excellent post on what types of data were apparently disclosed by NHSIC (or HSCIC), and subsequently processed by, or on behalf, of SIAS. I would recommend reading the comments as well. It does seems to me that we may still be talking about pseudonymised personal data, which would mean that the relevant data controllers still had obligations under the DPA, and the ICO would have jurisdiction to investigate, and, if necessary, take regulatory action.

See also Tony Hirst’s blog posts on the subject . These are extremely complex issues, but, at a time when the future of the sharing and linking of health and other data is being hotly debated, and when the ICO is seeking feedback on its Anonymisation Code of Practice, they are profoundly important ones.

UPDATE: 14 March 2014

The ICO has kindly acknowledged receipt of my request for assessment, saying it has been passed to their health sector team for “further detailed consideration”.

UPDATE: 24 May 2014

Er, there is no real update. There was a slight hiccup, when the ICO told me it was not making an assessment because “[it] is already aware of this issue and is investigating them accordingly. Given that we do not necessarily require individual complaints to take consider taking further action your case is closed”. After I queried the legal basis for failing to make a section 42 assessment as requested, the position was “clarified”:

…we will make an assessment in relation to this case, however we are unable to do so at this present time…This is because the office is currently investigating whether, as alleged in the media, actual personal data has been shared by the HSCIC to various other organisations including Staple Inn, PA consulting and Google

I don’t criticise the ICO for taking its time to investigate: it involves a complicated assessment of whether the data disclosed was personal data. In a piece I wrote recently for the Society of Computers and Law I described the question of whether data is anonymous or not as a “profound debate”. And it is also highly complex. But what this delay, in assessing just one aspect of health data disclosure, does show, is that the arbitrary six-month delay to the implementation of care.data was never going to be sufficient to deal with all the issues, and sufficiently assure the public, and medical practitioners, to enable it to proceed. A vote on 23 May by the BMA’s Local Medical Committee’s conference emphatically illustrates this.

13 Comments

Filed under care.data, Confidentiality, Data Protection, data sharing, Information Commissioner, NHS, Privacy