The recent decision of the Court of Appeal in W, X, Y and Z v Secretary of State for Health, Secretary of State for the Home Department and British Medical Association  EWCA Civ 1034 offers rich pickings for information lawyers. It deals with the status of information about medical treatment; it looks at the scope of common law protection for private and confidential information generally; and it illustrates how wider public law concepts can apply in the field of information sharing.
The context is the arrangements for charging for NHS services. Persons who are not ordinarily resident can be charged for their use of the NHS, under the National Health Service (Charges to Overseas Visitors) Regulations 2011 (“the Charging Regulations”). Under amendments made to the Immigration Rules in 2011, individuals with unpaid NHS debts of at least £1,000 may face immigration sanctions. Also in 2011, the Secretary of State issued Guidance (“the Guidance”) on implementing the Charging Regulations.
The Guidance provides for information-sharing in support of the Charging Regulations. NHS bodies are to transmit certain information (“the Information”) about non-resident patients to the Secretary of State for Health, who then passes it to the Home Office. The Information includes the name, date of birth and gender of the patient, current address (if known), nationality, travel document number and expiry dates, the amount and date of the patient’s NHS debt, and the NHS body to which it is owed.
In judicial review proceedings, four non-UK residents challenged the legality of part of the Guidance. In substance, they were challenging the information sharing arrangements outlined above. They lost before Silber J, who held that the Information did not constitute confidential or private information. The BMA were sufficiently concerned by this that they applied to intervene in the proceedings on appeal. They were represented by Panopticon regular Anya Proops.
The Court of Appeal considered the issues under three broad headings: first, whether disclosure breached the claimants’ common law rights to privacy or confidentiality; secondly, a group of arguments about vires; and thirdly, the application of Article 8 of the European Convention on Human Rights.
On the first issue, the Court of Appeal considered privacy and confidentiality together. The Court distinguished two questions. The first whether the Information was private or confidential in nature; and, if yes, the second was whether the claimants’ rights had been breached.
As to the first question, the Court held that Silber J had adopted the wrong approach by asking whether disclosure would be “highly offensive” (adopting the language of Lord Hope in Campbell v MGN  UKHL 22). That formulation was relevant to whether an interference with the right to privacy was justified; on the prior question of whether information was private, the touchstone was Lord Nicholls’ formulation in Campbell of whether the person in question had a reasonable expectation of privacy.
The Court accepted the BMA’s submission that the Information was inherently private because it told you something about the individuals’ health: it revealed that they had been unwell to the extent that they needed to seek medical care from an NHS body; and in some cases the nature of the NHS body would indicate the nature of the illness. It did not matter that the Information was not about the details of the medical treatment in question. The Court also referred to various guidance (e.g. from the GMC and the BMA) that all identifiable patient data held by a doctor or hospital should be treated as confidential. Nevertheless, the Court held that the Information was generally not private in relation to the Secretary of State and the Home Office. The reason was that the Guidance made clear that overseas visitors treated in NHS hospitals would be made aware that in certain circumstance the Information would be passed to the Secretary of State for onward transmission to the Home Office. This awareness would negate any reasonable expectation of privacy.
The Court went on to hold that, even if the claimants had a right to privacy and confidentiality in the Information, that right was not infringed by disclosure in accordance with the Guidance. This issue required a balancing exercise, weighing the public benefit from disclosure against the harm done by interference with the right. Silber J had been correct to conclude that the balance (if it needed to be drawn) came down in favour of disclosure. He had relied on four factors: the low level of intrusion into individual privacy; the fact that overseas patients were told about the disclosure; the legitimate aim of recovering NHS debts and ensuing defaulters were not able to stay in the UK; and the fact that the Information was securely transmitted to a limited group of civil servants.
On the second issue (as to vires) the Court discussed a range of related challenges.
The claimants relied on the principle of legality, whereby fundamental rights cannot be infringed without clear Parliamentary authority. The Court held that the principle did not apply, since disclosure did not infringe the claimants’ privacy rights: see above. Next, the claimants argued that the NHS bodies did not have the power to pass on the information to the Secretary of State. The Court held that they had both the power and the duty to pass it on: the Guidance, read as a whole, amounted to a direction that they should do so, and the Secretary of State had the power to give such a direction under section 48 of the National Health Service Act 2006. The use of that power was not impliedly excluded by the existence of a power under section 251 of the same Act to make regulations about the processing of patient information. The Secretary of State was entitled to rely on the section 48 power, and was not obliged to use the regulation-making power under section 251. The power under section 48 could only be used where the Secretary of State considered its use to be necessary for his functions under the 2006 Act. It was true that under the Charging Regulations it was the NHS bodies, not the Secretary of State, that made and recovered charges; but the Secretary of State could rely on his own general functions under section 1 of the 2006 Act, to continue the promotion of a comprehensive health service, as providing a proper basis for use of the section 48 power.
The Court then held that the Secretary of State had the power to pass the information on in turn to the Home Office. He could rely for this purpose on his incidental powers under section 2 of the 2006 Act. Alternatively, he could rely on his common law powers, even if the residual category of ministerial power not dependent on either statute or prerogative was to be confined to the exercise of powers for identifiably governmental purposes (as to which, see R (Shrewsbury and Atcham BC) v Secretary of State for Communities and Local Government  EWCA Civ 148). Finally, the Guidance did not fetter the NHS bodies’ discretion: the effect of the Guidance, in conjunction with section 48 of the 2006 Act, was that they had no choice but to pass on the information, and hence there was no discretion to be fettered.
On the third issue (Article 8) the Court concluded that any interference with the Article 8(1) right would be justified under Article 8(2).
It was argued for the claimants that any interference with the Article 8(1) right would not be “prescribed by law”. The Court held that the combination of the Guidance and the operation of the Data Protection Act 1998 provided sufficient safeguards against arbitrary or abusive disclosure to satisfy this aspect of Article 8(2).