Tag Archives: DPA

March 7, 2014 · 8:29 am

The Ellison Review and records management

Failings in records management hampered the Ellison Review. In the absence of legal enforcement mechanisms, we should recognise the important of records managers

It is a truism that good records management is essential to good information rights practice. Section 46 of the Freedom of Information Act 2000 requires the Lord Chancellor to issue a records management code of practice, and the code itself says

Freedom of information legislation is only as good as the quality of the records and other information to which it provides access. Access rights are of limited value if information cannot be found when requested or, when found, cannot be relied upon as authoritative

Similarly, records management is embedded in the principles of Schedule One to the Data Protection Act 1998, particularly those relating to adequacy, accuracy and retention of personal data.

But Mark Ellison QC’s report following The Stephen Lawrence Independent Review throws even sharper focus on how important records management can be in the service of justice, and the rule of law. Ellison’s Review was not a statutory inquiry, and thus did not have the legal powers to search records, or compel production of information (although its terms of reference did say that it should be given access to all necessary files). However, it appears to have been hampered by what looks like failings in records management. The report notes that

a number of potentially important areas of documentation…have not been provided to us. The explanation for this absence varies between:

a) a suspicion (or sometimes hard evidence) that they have been destroyed;
b) a belief that they must exist but cannot be found; or
c) that there simply is no record available and no way of knowing if one was ever made

Note that none of these explanations gives an indication that information has been deliberately withheld, so the subsequent announcement by the Home Secretary that there will now be a public inquiry (with full legal powers to gather information) into the infiltration methods of undercover police does not necessarily mean that information-gap will be filled.

The revelations of the disgraceful “spying” on the Lawrence family during the initial McPherson inquiry into Stephen’s death are, of course, the most important outcome of the Ellison Review. However, what unnerves me about the Ellison Review’s difficulties in getting information is that they starkly show that a failure to follow good records management practice potentially enables corruption and illegality to be covered-up, and that there is a lack of enforcement and regulatory mechanisms to prevent or punish this. The criminal sanctions regarding wilful destruction or withholding of information under FOIA apply only if the actions occur following the submission of a FOIA request, and, under the DPA, criminal sanctions only apply to unlawful obtaining or disclosure of personal data: destruction or hiding of information is unlikely to be a criminal act, in the absence of other factors.

I think this shows that Records Managers hold an exceptionally important role, one which is vital for organisational governance and compliance, and one which is sadly not recognised by some organisations. Records Managers should sit on information governance boards, should have a hotline to the Chief Information Officer, Head of Legal, Senior Information Risk Officer etc., and should be properly resourced and supported by those senior officers.

Stephen Lawrence would have been forty this year. The Stephen Lawrence Charitable Trust helps transform the lives of the young people it supports.

1 Comment

Filed under Data Protection, Freedom of Information, police, records management

Tagged as , ,

March 5, 2014 · 7:34 am

Health data breaches – missing the point?

Breaches of the DPA are not always about data security. I’m not sure NHS England have grasped this. Worse, I’m not sure the ICO understands public concern about what is happening with confidential medical information. They both need to listen.

Proponents of the care.data initiative have been keen to reassure us of the safeguards in place for any GP records uploaded to the Health and Social Care Information Centre (HSCIC) by saying that similar data from hospitals (Hospital Episode Statistics, or HES) has been uploaded safely for about two decades. Thus, Tim Kelsey, National Director for Patients and Information in the National Health Service, said on twitter recently that there had been

No data breach in SUS*/HES ever

I’ve been tempted to point out that this is a bit like a thief arguing that he’s been stealing from your pockets for twenty years, so why complain when you catch him stealing from your wallet? However, whether Tim’s claim is true or not partly depends on how you define a “breach”, and I suspect he is thinking of some sort of inadvertent serious loss of data, in breach of the seventh (data security) principle of the Data Protection Act 1998 (DPA). Whether there have been any of those is one issue, and, in the absence of transparency of how HES processing has been audited, I don’t know how he is so sure (an FOI request for audit information is currently stalled, while HSCIC consider whether commercial interests are or are likely to prejudiced by disclosure). But data protection is not all about data security, and the DPA can be “breached” in other ways. As I mentioned last week, I have asked the Information Commissioner’s Office to assess the lawfulness of the processing surrounding the apparent disclosure of a huge HES dataset to the Institute and Faculty of Actuaries, whose Society prepared a report based on it (with HSCIC’s logo on it, which rather tends to undermine their blaming the incident on their NHSIC predecessors). My feeling is that this has nothing, or very little, to do with data security – I am sure the systems used were robust and secure – but a lot to do with some of the other DPA principles, primarily, the first (processing must be fair and lawful and have an appropriate Schedule 2 and Schedule 3 condition), and the second “Personal data shall be obtained only for one or more specified and lawful purposes”).

Since the story about the actuarial report, at least three other possible “breaches” have come to light. They are listed in this Register article, but it is the first that has probably caused the most concern. It appears that the entire HES dataset, pseudonymised (not, note, anonymised) of around one terabyte, was uploaded to Google storage, and processed using Big Query. An apparently rather unconcerned statement from HSCIC (maybe they’ll blame their predecessors again, if necessary) said

The NHS Information Centre (NHS IC) signed an agreement to share pseudonymised Hospital Episodes Statistics data with PA Consulting  in November 2011…PA Consulting used a product called Google BigQuery to manipulate the datasets provided and the NHS IC  was aware of this.  The NHS IC  had written confirmation from PA Consulting prior to the agreement being signed that no Google staff would be able to access the data; access continued to be restricted to the individuals named in the data sharing agreement

So that’s OK then? Well, not necessarily. Google’s servers (and, remember “cloud” really means “someone else’s computer”) are dotted around the world, although mostly in the US, and when you upload data to the cloud, one of the problems (or benefits) is you don’t have, or don’t tend to think you have, a real say in where it is hosted. By a certain argument, this even makes the cloud provider, in DPA terms, a data controller, because it is partly determining “the manner in which any personal data are, or are to be, processed”. If the hosting is outside the European Economic Area the eight DPA principle comes into play:

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data

The rather excellent Tim Gough who is producing some incredibly helpful stuff on his site, has a specific page on DPA and the cloud and I commend it to you. Now, it may be that, because Google has conferred on itself “Safe Harbor” status, the eight principle is deemed to have been complied with, but I’m not sure it’s as straightforward because, in any case, Safe Harbor itself is of current questionable status and assurance.

I don’t know if PA Consulting’s upload of HES data to the cloud was in compliance with their and NHSIC’s/HSCIC’s DPA obligations, but, then again, I’m not the regulator of the DPA. So, in addition to last week’s request for assessment, I’ve asked the ICO to assess this processing as well

Hi again

I don’t yet have any reference number, but please note my previous email for reference. News has now emerged that the entire HES database may have been uploaded to some form of Google cloud storage. Would you also please assess this for compliance with the DPA? I am particularly concerned to know whether it was in compliance with the first, seventh and eighth data protection principle. This piece refers to the alleged upload to Google servers http://t.co/zWF2QprsTN

best wishes,
Jon

However, I’m now genuinely concerned by a statement from the ICO, in response to the news that they are to be given compulsory powers of audit of NHS bodies. They say (in the context of the GP data proposed to be uploaded under the care.data initiative)

The concerns around care.data come from this idea that the health service isn’t particularly good at looking after personal information

I’m not sure if they’re alluding to their own concerns, or the public’s, but I think the statement really misunderstands the public’s worries about care.data, and the use of medical data in general. From many, many discussions with people, and from reading more about this subject than is healthy, it seems to me that people have a general worry about, and objection to, their confidential medical information possibly being made available to commercial organisations, for the potential profit of the latter, and this concern stems from the possibility that this processing will lead to them being identified, and adversely affected by that processing. If the ICO doesn’t understand this, then I really think they need to start listening. And, that, of course, also goes for NHS England.

*“SUS” refers to HSCIC’s, and its predecessor, NHSIC’s Secondary Uses Service

4 Comments

Filed under care.data, Data Protection, data sharing, Information Commissioner, NHS

Tagged as , , ,

March 1, 2014 · 7:56 pm

Why no prison sentences for misuse of medical data?

So, the government, roused from its torpor by the public outrage at the care.data proposals, and the apparent sale of 47 million patient records to actuaries, is said to be proposing, as a form of reassurance, amendments to the Care Bill. The Telegraph reports that

Jeremy Hunt will unveil new laws to ensure that medical records can only be released when there is a “clear health benefit” rather than for “purely commercial” use by insurers and other companies.

Ministers will also bolster criminal sanctions for organisations which breach data protection laws by disclosing people’s personal data. Under a “one strike and you’re out” approach, they will be permanently banned from accessing NHS data

One needs to be aware that this is just a newspaper report, and as far as I know it hasn’t been confirmed by the minister or anyone else in the government, but if it is accurate, I fear it shows further contempt for public concerns about the risks to the confidentiality of their medical records.

The first of the reported amendments sounds like a statutory backing to the current assurances that patient data will only be made available to third parties if it is for the purposes that will benefit the health and social care system (see FAQ 39 on the Guide for GP Practices). It also sounds like a very difficult piece of legislation to draft, and it will be very interesting to see what the proposed amendment actually says – will it allow secondary use for commercial purposes, as long as the primary use is for a “clear health benefit”? and, crucially, how on earth will it be regulated and enforced? (will properly resourced regulators be allowed to audit third parties’ use of data? – I certainly hope so).

The second amendment implies that the Data Protection Act 1998 (DPA) will also be amended. This also sounds like a difficult provision to draft: the Telegraph says

Those that have committed even one prior offence involving patient data will be barred from accessing NHS medical records indefinitely as part of a “one strike and you’re out” approach

But what do we mean by “offence”? The Telegraph falls into the common error of thinking that the Information Commissioner’s Office’s (ICO’s) powers to serve monetary penalty notices (MPNs) to a maximum of £500,000 are criminal justice powers; they are not – MPNs are civil notices, and the money paid is not a “fine” but a penalty. The only relevant current criminal offence in the DPA is that of (in terms) deliberately or recklessly obtaining or disclosing personal data without authority of the data controller. This is an either-way offence, which means it currently carries a maximum sanction of a £5000 fine in a magistrates court, or an unlimited fine in Crown Court (it is very rare for cases to be tried in the latter though). Prosecutions under this section (55) are generally brought against individuals, because the offence involves obtaining or disclosing the data without the authority of the data controller. It is unlikely that a company would commit a section 55 offence. More likely is that a company would seriously contravene the DPA in a manner which would lead to a (civil) MPN, or more informal ICO enforcement action. More likely still is simply that the ICO would have made a finding of “unlikely to have complied” with the DPA, under section 42 – a finding which carries little weight. Are prior civil or informal action, or a section 42 “unlikely to have complied” assessment going to count for the “one strike and you’re out” approach? And even if they are, what is to stop miscreant individuals or companies functioning through proxies, or agents? or even simply lying to get access to the data?

Noteworthy by its absence in the Telegraph reports of the proposed amendments was any reference to the one change to data protection law which actually might have a deterrent effect on those who illegally obtain or disclose personal data – the possibility of being sent to prison. As I and others have written before, all that is needed to achieve this is for the government to commence Section 77 of the Criminal Justice and Immigration Act 2008, which would create the power to alter the penalty (including a custodial sentence) for a section 55 DPA offence. However, the government has long been lobbied by certain sections of the press industry not to do so, because of apparent fears that it would give the state the power to imprison investigative journalists (despite the fact that section 78 of the Criminal Justice Act 2008 – also uncommenced – creating a new defence for journalistic, literary or artistic purposes). The Information Commissioner has repeatedly called for the law to be changed so that there is a real sanction for serious criminal data protection offences, but to no avail.

Chris Pounder has argued that the custodial sentence provisions (discussion of which was kicked into the long grass which grew up in the aftermath of the Leveson inquiry) might never be introduced. Despite the calls for such strong penalties for misuse of medical data, from influential voices such as Ben Goldacre, the proposals for change outlined by the Telegraph seem to support Dr Pounder’s view.

One of the main criticisms of the disastrous public relations and communications regarding the care.data initiative is that people’s acute concerns about the security of their medical records have been dismissed with vague or misleading reassurances. With the announcement of these vague and probably ineffectual proposed legal sanctions, what a damned shame that that looks to be continuing.

3 Comments

Filed under care.data, Data Protection, data sharing, Information Commissioner, Leveson, monetary penalty notice, NHS

Tagged as , , , ,

February 28, 2014 · 4:02 pm

Fight back against damage and distress caused by inaccurate records

The distressing case of Sheila Holt, a woman in a coma, who was “harassed”* by the Department of Work and Pensions (DWP), and Seetec (DWP’s contractor carrying out work capability assessments) when they sent letters to her demanding she attempt to find work, casts light on an aspect of data protection law which is sometimes overlooked, at the expense of, for instance, data security.

I think Sheila Holt’s case suggests a possible serious contravention of the Data Protection Act 1998 (DPA) regarding the need to hold accurate records of people’s personal information. If it were indeed found to be a serious contravention, it could give rise to the possibility of a civil claim against those responsible, and enforcement action by the Information Commissioner.

We have all, I’m sure, been exasperated by organisations which fail to update their records, or mix our records up with someone else. This exasperation has even found an outlet of sorts in comedy. But behind it lies a point given serious focus by Sheila Holt’s case, and it relates to a legal obligation under the DPA. I will explain in a little detail how this works, but it does occur to me that the DPA is an underused weapon in citizens’ and consumers’ armoury, when faced with unyielding bureaucracy, and at the end of this post I will suggest an approach people might take in such circumstances.

 Please note – none of this is new, and for some readers of this blog it is basic, but I thought it would be helpful to lay it out, for any future reference. I remind readers that it is not to be taken as advice, let alone legal advice.

In what follows, the aggrieved individual is a data subject, and the organisation with inaccurate records is the data controller (this is a broad generalisation for the purposes of this post).

By s4(4) of the DPA a data controller must comply with all of the data protection principles in Schedule One of the DPA, and the fourth principle says that “Personal data shall be accurate and, where necessary, kept up to date”. 

If a data subject wants to check the accuracy of the records held on them, they can submit a request under section 7 of the DPA. This gives a broad entitlement to know who is holding their information and for what purposes, and to have the information “communicated” to them (generally in the form of copies/print-outs). If the records are shown to be inaccurate then the data subject should notify the data controller and require them to correct them.

If they fail to do so, and continue using the inaccurate records, and the inaccuracies give rise to serious (or potentially serious) consequences, then the data subject may be able to serve a legal notice requiring the data controller to stop: Section 10(1) DPA allows a data subject to serve a data controller with a notice requiring it to cease processing data which is causing or is likely to cause substantial damage or substantial distress (and that damage or distress is unwarranted). Section 10(3) DPA requires the data controller within 21 days either to comply with the 10(1) notice, or provide reasons why it will not. Section 10(4) allows a court, upon application from someone who has served a 10(1) notice, to order steps to be taken.

So, it is at least possible that a data subject who has been put to considerable time, or cost or effort because of inaccurate (“unwarranted”) records, can serve a section 10 notice. However, if this doesn’t apply (perhaps the damage or distress can only be described as minor) there is a more direct legal route: Section 14(1) DPA allows a court, on the application of a data subject that personal data of which the applicant is the subject are inaccurate, to order rectification.

Additionally, there may be the possibility of compensation. Section 13(1) DPA provides that “An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”. Section 13(2) provides that “An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation…if the individual also suffers damage by reason of the contravention” (emphases added). So, no compensation for distress unless “damage” can be shown (per Buxton LJ “…section 13 distress damages are only available if damage in the sense of pecuniary loss has been suffered…” in Johnson v Medical Defence Union [2007] EWCA Civ 262). But if a data subject can show pecuniary loss, the door to distress damages is opened (possibly even if the former is only nominal – see Halliday v Creation Consumer Finance Ltd [2013] EWCA Civ 333 where the defendant conceded nominal damages of £1, thus allowing a section 13(2) claim to proceed).

One further or parallel recourse for an aggrieved data subject is to ask the ICO, under section 42 DPA to assess whether it is likely or unlikely that that the handling of their data has been or is being carried out in compliance with the Act. A “compliance unlikely” assessment could, potentially, be used to bolster a claim under sections 10, 13 or 14. Moreover, it could lead to potential regulatory action against the data controller (for instance a civil monetary penalty notice under section 55A DPA, or an enforcement notice under section 40 DPA – although it should be noted that it would have to be a particularly serious breach of the “accuracy principle” to warrant such action, and to date, none such has been taken by the ICO). Systematic or egregious inaccuracy of records can often be an indicator of deeper information management failings, which should draw the ICO’s attention.

None of these various claims or actions under the DPA is likely to bring much comfort or relief to Sheila Holt and her family, but those who are harmed and distressed by inaccuracies in their personal information might want to consider doing some or all of the following 

  • Quantify, reasonably but comprehensively, what pecuniary damage you have suffered (letters written/phone calls made/ time off work/opportunities lost
  • Quantify how much consequent compensation for distress you think you are owed
  • Write to the data controller asking for the error to be rectified, and suggesting you might be owed appropriate compensation (as calculated above). Say that if they are not able to meet your demand you reserve the right to ask the IC to make a s42 assessment and/or make a claim under section 14 and (if appropriate) section 13(1) and (2). Say that you also reserve the right to draw the IC’s attention to what might be a serious contravention of the DPA of a kind likely to cause substantial damage or substantial distress
  • Serve a section 10(1) DPA notice requiring the CRA to cease processing inaccurate data (and to rectify) and tell them you reserve the right to seek compensation from them

The Information Commissioner’s Office (ICO) has helpful guidance on taking a data protection case to court.

*”harassed” was the word use in Parliament by the Minister

30 Comments

Filed under damages, Data Protection, Information Commissioner

Tagged as ,

February 24, 2014 · 8:35 am

Hospital records sold to insurance companies – in breach of the Data Protection Act?

I’ve asked the ICO to assess whether the sale of millions of health records to insurance companies so that they could “refine” their premiums was compliant with the law

I’m about to disclose some sensitive personal data: I have been to hospital a few times over recent years…along with 47 million other people, whose records from these visits, according to reports in the media, were sold to an actuarial society for insurance premium purposes. The Telegraph reports

a report by a major UK insurance society discloses that it was able to obtain 13 years of hospital data – covering 47 million patients – in order to help companies “refine” their premiums.

As a result they recommended an increase in the costs of policies for thousands of customers last year. The report by the Staple Inn Actuarial Society – a major organisation for UK insurers – details how it was able to use NHS data covering all hospital in-patient stays between 1997 and 2010 to track the medical histories of patients, identified by date of birth and postcode.

I don’t know if this use of my sensitive personal data (if it was indeed my personal data) was in compliance with the Data Protection Act 1998 (DPA), although sadly I suspect that it was, but section 42 of the DPA allows a data subject to request the Information Commissioner to make an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of the DPA. So that’s what I’ve done:

Hi

As a data subject with a number of hospital episodes over recent years I am disturbed to hear that the Hospital Episode Statistics (HES) of potentially 47 million patients were disclosed to Staple Inn Actuarial Society (SIAS), apparently for the purposes of helping insurance companies “refine” their premiums. I became aware of this through reports in the media (e.g. http://www.telegraph.co.uk/health/healthnews/10656893/Hospital-records-of-all-NHS-patients-sold-to-insurers.html). I am asking, pursuant to my right under section 42 of the Data Protection Act 1998, the ICO to assess whether various parts of this process were in compliance with the relevant data controllers’ obligations under the DPA:

1) I was not aware, until relatively recently, that HESs were provided to the HSCIC – was this disclosure by hospitals compliant with their DPA obligations?

2) Was the general processing (e.g. retention, manipulation, anonymisation, pseudonymisation) of this personal data compliant with HSCIC’s or, to the extent that HSCIC is a data processor to NHS England’s data controller, NHS England’s DPA obligations?

3) Was the disclosure of what appears to have been sensitive personal data (I note the broad definition of “personal data”, and your own guidance on anonymisation) to SIAS compliant with HSCIC’s (or NHS England’s) DPA obligations

4) Was SIAS’s subsequent processing of this sensitive personal data compliant with its DPA obligations?

You will appreciate that I do not have access to some information, so it may be that when I refer to HSCIC or NHS England or SIAS I should refer to predecessor organisations.

Please let me know if you need any further information to make this assessment.

with best wishes, Jon Baines

We’ve been told on a number of occasions recently that we shouldn’t be worried about our GP records being uploaded to HSCIC under the care.data initiative, because our hospital records have been used in this way for so long. Clare Gerada, former Chair of the Council of the Royal College of General Practitioners wrote in the BMJ that

for 25 years, hospital data have been handled securely with a suite of legal safeguards to protect confidentiality—the exact same safeguards that will continue to be applied when primary care data are added

Well, it seems to me that those legal safeguards might have failed to prevent (indeed, might have actively permitted) a breach involving 47 million records. I’m very interested to know what the Information Commissioner’s assessment will be.

UPDATE: 24 February 2014

An ICO spokesperson later said:

“We’re aware of this story, and will be gathering more information – specifically around whether the information had been anonymised – before deciding what action to take.”

UPDATE: 25 February 2014

At the Health Select Committee hearing into the care.data initiative HSCIC and NHS England representatives appeared not to know much about what data was disclosed, and in what circumstances, and effectively blamed NHSIC as a predecessor organisation. This echoed the statement from HSCIC the previous evening

The HSCIC believes greater scrutiny should have been applied by our predecessor body prior to an instance where data was shared with an actuarial society

UPDATE: 27 February 2014

GP and Clinical Lecturer Anne Marie Cunningham has an excellent post on what types of data were apparently disclosed by NHSIC (or HSCIC), and subsequently processed by, or on behalf, of SIAS. I would recommend reading the comments as well. It does seems to me that we may still be talking about pseudonymised personal data, which would mean that the relevant data controllers still had obligations under the DPA, and the ICO would have jurisdiction to investigate, and, if necessary, take regulatory action.

See also Tony Hirst’s blog posts on the subject . These are extremely complex issues, but, at a time when the future of the sharing and linking of health and other data is being hotly debated, and when the ICO is seeking feedback on its Anonymisation Code of Practice, they are profoundly important ones.

UPDATE: 14 March 2014

The ICO has kindly acknowledged receipt of my request for assessment, saying it has been passed to their health sector team for “further detailed consideration”.

UPDATE: 24 May 2014

Er, there is no real update. There was a slight hiccup, when the ICO told me it was not making an assessment because “[it] is already aware of this issue and is investigating them accordingly. Given that we do not necessarily require individual complaints to take consider taking further action your case is closed”. After I queried the legal basis for failing to make a section 42 assessment as requested, the position was “clarified”:

…we will make an assessment in relation to this case, however we are unable to do so at this present time…This is because the office is currently investigating whether, as alleged in the media, actual personal data has been shared by the HSCIC to various other organisations including Staple Inn, PA consulting and Google

I don’t criticise the ICO for taking its time to investigate: it involves a complicated assessment of whether the data disclosed was personal data. In a piece I wrote recently for the Society of Computers and Law I described the question of whether data is anonymous or not as a “profound debate”. And it is also highly complex. But what this delay, in assessing just one aspect of health data disclosure, does show, is that the arbitrary six-month delay to the implementation of care.data was never going to be sufficient to deal with all the issues, and sufficiently assure the public, and medical practitioners, to enable it to proceed. A vote on 23 May by the BMA’s Local Medical Committee’s conference emphatically illustrates this.

13 Comments

Filed under care.data, Confidentiality, Data Protection, data sharing, Information Commissioner, NHS, Privacy

Tagged as , , ,

February 23, 2014 · 11:10 am

Conservative Party website – unfair processing?

The Conservative Party website is hosting a survey, but I question whether it complies with data protection and associated laws.

The first principle of the Data Protection Act 1998 (DPA) requires that any processing of personal data be fair (and lawful). If an organisation is collecting data from individuals then the person from whom it is obtained must be told the identity of the data controller, and the purpose or purposes for which the data are intended to be processed. These legal provisions (Schedule 1, DPA) are the source of the privacy notices (sometimes called “fair processing notices”) with which we are all familiar when we, for instance, make purchases, or submit forms, or, indeed, complete online surveys. As the Information Commissioner himself says, in the introduction to the ICO Privacy Notices Code of Practice

As a minimum, a privacy notice should tell people who you are, what you are going to do with their information and who it will be shared with

the Code goes on to stress that

the requirement…is strongest…where the information is sensitive

One of the things that makes personal data “sensitive” is if it consists of information as to a person’s political opinions (section 2(b), DPA) – the reasons for this barely need spelling out, but I would just note that history tells us much about the potential for abuse of information about the political affiliations or inclinations of individuals.

With all this in mind it is concerning to note that the website of the Conservative Party invites people to complete and submit an online survey, which includes, among other things, questions about the political opinions of those completing it, but whose privacy notice consists merely of

By entering your email address you agree to receive communications from us, from which you can opt-out using the “unsubscribe” link in each email we send. We will not share your details with anyone outside the Conservative Party
This is inadequate in a number of ways, but primarily because it gives no indication whatsoever what the purposes for which the (sensitive) data are to be processed. One assumes, noting the reference to receiving emails in the future, that it is for the purposes of marketing (and the ICO has made clear that political parties do engage in marketing).  Failure to gather data fairly will mean that such future marketing use would also be in default breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003.
Searching the rest of the website I do see that there is a generic privacy policy, which does refer to “online polls and surveys”, but that merely says that
in addition to your answers, we collect your Internet Protocol (IP) address…[to] to help validate the results and help prevent multiple entries from individuals
It is difficult to imagine that the people responsible for this survey have had regard to the ICO’s invaluable guidance for political parties for campaigning or promotional purposes, which advises, for instance that parties should be
transparent about your use of the individual’s information
In the field of market research there is a practice known as “sugging” which the Association for Qualitative Research describes thus

Sugging (selling under the guise of market research) …[occurs] when organisations building databases, or generating sales leads, claim to be conducting market research

One does wonder if that is what is going on here, but in the absence of an adequate privacy notice, it is not possible to tell.

UPDATE: 23.03.14

It looks like they’ve amended the survey now, with a link to a privacy policy. Whether it’s a coincidence they did so around the time The Independent ran a story on the issue is difficult to say.

Anyway, it seems the ICO is investigating, so watch this space.

2 Comments

Filed under Data Protection, marketing, PECR

Tagged as ,

January 31, 2014 · 4:55 pm

The care.data leaflet campaign – legally necessary?

Readers of this blog [sometimes I imagine them1] may well be fed up with posts about care.data (see here, here and here). But this is my blog and I’ll cry if I want to. So…

Doyen of information rights bloggers, Tim Turner, has written in customary analytic detail on how the current NHS care.data leafleting campaign was not necessitated by data protection law, and on how, despite some indications to the contrary, GPs will not be in the Information Commissioner’s firing line if they fail adequately to inform patients about what will be happening to their medical data.

He’s right, of course: where a data controller is subject to a legal obligation to disclose personal data (other than under a contract) then it is not obliged, pace the otherwise very informative blogpost by the Information Commissioner’s Dawn Monaghan, to give data subjects a privacy, or fair processing notice.

(In passing, and in an attempt to outnerd the unoutnerdable, I would point out that Tim omits that, by virtue of The Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000, if a data subject properly requests a privacy notice in circumstances where a data controller is subject to a legal obligation to disclose personal data (other than under a contract) and would, thus, otherwise not be required to issue one, the data controller must comply2.)

Tim says, though

The leaflet drop is no way to inform people about such a significant step, but I don’t think it is required

That appears to be true, under data protection law, but, under broader obligations imposed on the relevant authorities under Article 8 of the European Convention on Human Rights (ECHR), as incorporated in domestic law in the Human Rights Act 1998, it might not be so (and here, unlike with data protection law, we don’t have to consider the rigid controller/processor dichotomy in order to decide who the relevant, and liable, public authority is, and I would suggest that NHS England (as the “owner of the care.data programme” in Dawn Monaghan’s words) seems the obvious candidate, but GPs might also be caught).

In 1997 the European Court of Human Rights addressed the very-long-standing concept of the confidentiality of doctor-patient relations, in the context of personal medical data, in Z v Finland (1997) 25 EHRR 371, and said

the Court will take into account that the protection of personal data, not least medical data, is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life as guaranteed by Article 8 of the Convention (art. 8). Respecting the confidentiality of health data is a vital principle in the legal systems of all the Contracting Parties to the Convention. It is crucial not only to respect the sense of privacy of a patient but also to preserve his or her confidence in the medical profession and in the health services in general…Without such protection, those in need of medical assistance may be deterred from revealing such information of a personal and intimate nature as may be necessary in order to receive appropriate treatment and, even, from seeking such assistance, thereby endangering their own health and, in the case of transmissible diseases, that of the community

This, I think, nicely encapsulates why so many good and deep-thinking people have fundamental concerns about care.data.

Now, I am not a lawyer, let alone a human rights lawyer, but it does occur to me that a failure to inform patients about what would be happening with their confidential medical records when GP’s were required to upload them, and a failure to allow them to opt-out, would have potentially infringed patients’ Article 8 rights. We should not forget that, initially, there was no intention to inform patients at all (there had no attempt to inform patients about the similar upload of hospital medical data, which has been going on for over twenty years). It is, surely, possible therefore, that NHS England is not just “helping” GPs to inform patients without having any responsibility to do so (as Dawn Monaghan suggests), but that it recognises its potential vulnerability to an Article 8 challenge, and is trying to avoid or mitigate this. Whether the leaflets themselves, and the campaign to deliver them, are adequate to achieve this aim is another matter. As has been noted, the leaflet contains no opt out form, and there seem to be numerous examples of people (often vulnerable people, for instance in care homes, or refuges) who will have little or no chance of receiving a copy.

At the launch of the tireless MedConfidential campaign last year, Shami Chakrabarti, of Liberty, spoke passionately about the potential human rights vulnerabilities of the care.data programme. Notifying patients of what is proposed might not have been necessary under data protection law, but it is quite possible that the ECHR aspect of doing so was one of the things on which the Health and Social Care Information Centre (HSCIC) has been legally advised. Someone made an FOI request for this advice last year, and it is notable that HSCIC seem never to have completed their response to the request.

1I make no apologies for linking to one of Larkin’s most beautiful, but typically bleak and dystopian, pieces of prose, but I would add that it finishes “…These have I tried to remind of the excitement of jazz, and tell where it may still be found.”

2Unless the data controller does not have sufficient information about the individual in order readily to determine whether he is processing personal data about that individual, in which case the data controller shall send to the individual a written notice stating that he cannot provide the requisite information because of his inability to make that determination, and explaining the reasons for that inability

2 Comments

Filed under care.data, Confidentiality, Data Protection, data sharing, Europe, human rights, Information Commissioner, NHS, Privacy

Tagged as , ,

January 23, 2014 · 11:22 am

Staffs Police to drop controversial naming “drink drivers” twitter campaign

ICO confirms hashtag campaign prior to conviction was unlikely to be compliant with the Data Protection Act. Other forces to be advised via ACPO of issues raised by the case

Over the Christmas period Staffordshire Police ran a social media campaign, in which drivers arrested and charged with drink-driving offences were named on twitter with the “hashtag” #drinkdriversnamedontwitter. It seemed to me, and others, that this practice arguably suggested guilt prior to any trial or conviction. As I said at the time

If someone has merely been charged with an offence, it is contrary to the ancient and fundamental presumption of innocence to shame them for that fact. Indeed, I struggle to understand how it doesn’t constitute contempt of court to do so, or to suggest that someone who has not been convicted of drink-driving is a drink driver

and I asked the Information Commissioner’s Office (ICO)

whether the practice is compliant with Staffordshire Police’s obligations under the first data protection principle (Schedule 1 of the Data Protection Act 1998 (DPA)) to process personal data fairly and lawfully

The ICO have now issued a statement. Their spokesman says

The ICO spoke to Staffordshire Police following its #DrinkDriversNamedOnTwitter campaign. Our concern was that naming people who have only been charged alongside the label ‘drink driver’ strongly implies a presumption of guilt for the offence, which we felt wouldn’t fit with the Data Protection Act’s fair and lawful processing principle.

We have received reassurances from Staffordshire Police that the hashtag will no longer be used in this way, and are happy with the procedures they have in place. As a result, we will be taking no further action. We’ve also spoken with ACPO about making other police forces aware of the issues raised by this case.

I think this is a very satisfactory result. The ICO have, as I said previously, shown that they are increasingly willing to investigate contraventions of the DPA not limited to security breaches. No one would defend drink driving (and it was not the naming itself that was objectionable, but the tweeting of the names in conjunction with the hashtag) but the police should not be free to indicate or imply guilt prior to conviction – that is quite simply contrary to the rule of law.

What I still think is disappointing though, is that after an initial prompt response from the Attorney General’s twitter account (which missed my point), there has been no word from them as to whether the practice was potentially prejudicial to any forthcoming trial. Maybe they’d like to rethink this, in light of the statement from the ICO?

1 Comment

Filed under Data Protection, human rights, Information Commissioner, police, Uncategorized

Tagged as , , ,

January 20, 2014 · 3:14 pm

care.data – what am I worried will happen?

I was invited today on twitter to say what I was worried will happen as a result of the care.data programme. I’ve written about this previously, and some of my concerns are laid out in those posts. But here’s a little list:

  • I am worried that even the most robust and secure data security measures can fail, or be overridden. Patients’ identifiable data could be compromised.
  • I am worried that there is a limit to how much users of the data could be restrained from making secondary, not-beneficial-to-patients, usage of data to which they are given access (Geraint Lewis, NHS Chief Data officer, was asked how, for instance, insurance companies would be prevented from doing this – he pointed to the Information Commissioner’s powers to impose Monetary Penalty Notices to a maximum of £500,000 for suitably serious contraventions of the Data Protection Act 1998. But a penalty for misuse of data will only be a net penalty if it outstrips profit from the usage.)
  • I am worried that some people will avoid seeking medical treatment, particularly for sensitive or serious ailments, if they in turn worry about who might have access to their data.
  • I am, in more general terms, worried about the lack of transparency that has surrounded the programme, and the lack of clear information. I am worried that, if the risks are so low and the benefits so high, why were initial attempts made to sneak this under the public’s radar?
  • I am worried that the amassing of and use of personal data in itself carries risks.
  • I am worried that I am wrong about all this, and that I am attacking a programme which will potentially deliver personal and societal benefits.

But, ultimately, I am not sure it is for me to say specifically what I am worried will happen. I don’t know specifically what will happen with a lot of things I worry about.

Surely it is for the proponents of care.data to say why I should be reassured. And I’m not.

4 Comments

Filed under care.data, Confidentiality, Data Protection, data sharing, Information Commissioner

Tagged as ,

January 18, 2014 · 11:11 am

If not that, then this?

Does the dropping of criminal charges against police officers under data protection and computer misuse legislation open the door to investigation of their employer’s civil liabilities?

The BBC reports that criminal charges have been dropped against three Nottinghamshire police officers. The charges appear to have been originally brought under the Data Protection Act 1998 (DPA) and Computer Misuse Act 1990 (CMA), and, according to the Police Federation it seems they were dropped because

prosecutors had found issues with training and advice on data protection for officers

Under section 55 of the DPA it is an offence to knowingly or recklessly, without the consent of the data controller, obtain or disclose personal data or the information contained in personal data. But the elements of the offence are not made out if the person doing this acted, for instance, in the reasonable belief that he or she had a lawful right to obtain or disclose the data, or if the obtaining was necessary for the purpose of preventing or detecting crime. Similarly, the offence of unauthorised access to computer material under section 1 of the CMA is only committed if the person knows that the access is unauthorised. If inadequate training and advice on access to data is given to employees of a data controller, then it will be difficult – as this story seems to reveal – to bring prosecutions. Effectively, the mens rea element of the offence is lacking.

However, perceptive readers of this blog might have noticed something: if incidents of inappropriate access to personal data have occurred, as appears to have been the case here, and the individuals accessing the data have been inadequately trained, does that not raise issues about the employer’s (the data controller’s) compliance with the seventh data protection principle in Schedule One of the DPA? This provides that

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data

The Information Commissioner’s Office (ICO) has repeatedly stressed that appropriate staff training is essential for compliance with the seventh principle. The ICO has the power, under section 55A of the DPA, to serve a civil monetary penalty notice on a data controller which has seriously contravened the DPA, where the contravention is of a kind likely to cause substantial damage or substantial distress. One wonders whether the ICO will now look into Nottinghamshire Police’s compliance with the Act, in view of the fact that incidents serious enough to bring now-dropped criminal charge took place, and the fact that they appear to have taken place against a background of inadequate staff training.

5 Comments

Filed under Breach Notification, Data Protection, Information Commissioner, monetary penalty notice, police, Privacy

Tagged as ,