On 13 July 2010, the Council of Europe promulgated a decision whereby it approved an agreement between the EU and the US for the transfer of financial messaging data from the EU to the US, specifically for the purposes of the US’s Terrorist Finance Tracking Programme. The decision has now been published in the Official Journal for the EU. See further the Council decision dated 28 June 2010 confirming the signing of the agreement, which you can find here.
EU APPROVES FINANCIAL DATA TRANSFERS TO US FOR COUNTER-TERRORISM PURPOSES
July 28th, 2010 by Anya ProopsDATA PROTECTION IN EUROPE - JUDGMENT IN BAVARIAN BEER
July 2nd, 2010 by Anya ProopsOn 29 June 2010, the European Court of Justice handed down an important judgment on how provisions within EU law which permit access to documents held by EU institutions are to be applied where the documents contain third party personal data – European Commission & United Kingdom v Bavarian Lager (Case C-28/08 P). The case involved an application for disclosure of a document held by the European Commission which recorded discussions on the application of certain beer import restrictions within the UK. A number of individuals were identified by name in the document. The application for disclosure was made by Bavarian Lager under EU Regulation 1049/2001 (the Access Regulation). The Access Regulation is designed to facilitate public access to documents held by EU institutions with a view to increasing their transparency and accountability. Importantly, like FOIA, the Access Regulation is, on its face, motive-blind (i.e. it does not require the applicant to establish a legitimate reason for accessing the information). The Commission provided the requested document, save that it redacted the names of certain individuals identified in the document. The key issue which arose in the case was whether, in deciding whether to release the names of the individuals in question, the Commission had been entitled to take into account whether Bavarian Lager had established that it had legitimate interests in receiving this particular data.
The Court of First Instance (now ‘the General Court’) held that: (a) particularly having regard to the motive blind nature of the Access Regulation, the Commission had erred in taking into account Bavarian Lager’s interests in receiving the information and (b) the names should be disclosed. On appeal by the Commission, the ECJ overturned the CFI’s judgment. In summary, the ECJ reached the following conclusions on the appeal:
(1) the CFI had erred because it had failed to have due regard to the way in which the Access Regulation effectively deferred to provisions contained in other EU legislation, particular Regulation 45/2001 which is specifically concerned with protecting individuals with regard to the processing of their personal data by EU institutions (“the DP Regulation”);
(2) the DP Regulation itself required consideration of the question of whether the applicant had a legitimate interest in receiving the particular personal data;
(3) accordingly, the Commission had not erred when it decided that Bavarian Lager had not established a legitimate interest in receiving the personal data contained in the documents;
(4) the data had been lawfully withheld by the Commission.
11KBW’s Jason Coppel appeared on behalf of the United Kingdom.
PATIENT INFORMATION - MADE FOR SHARING?
June 17th, 2010 by Timothy Pitt-Payne QCSharing patient information in the NHS has proved highly controversial. We posted about this subject here a while back. Now there’s a new report from UCL researchers, suggesting that two key recent NHS IT programmes for handling patient information have so far delivered only modest benefits. A short summary appears here, with links to the executive summary and the full report. A research paper based on the findings has been published in the BMJ.
The three year UCL project looked at the Summary Care Record (SCR) and at Healthspace, both introduced as part of the NHS National Programme for IT.
The SCR is an electronic summary of key health data, taken from GP records and other sources, and available to a range of NHS staff. According to the UCL report, very few people had chosen to opt out; less than 1% of those who had been sent the relevant information. But SCRs were not yet widely used; even where available, they were only accessed in 21% of clinical encounters. So far there was little evidence that SCRs improved patient safety or reduced consultation length or hospital admissions.
HealthSpace is a tool that allows patients to update their own health information, plan healthcare appointments, and contact their GP via a secure internet connection. So far, take up has been very low. According to the UCL study only one person in 200 who was invited to open a basic account did so, and only one in 1000 opened an advanced account.
The report’s lead author, Professor Greenhalgh, is quoted as saying: “This reseach shows that the significant benefits anticipated for these programmes have, by and large, yet to be realised - and that they may be acheived only at high cost and enormous effort … It serves to demonstrate the wider dilemma of national databases: that scaling things up doesn’t necessarily make them more efficient or effective.”
INFORMATION LAW AND THE NEW POLITICS
June 7th, 2010 by Timothy Pitt-Payne QCI gave a paper at the last 11KBW information law seminar, on the new Government’s plans for information law. An updated version of the paper is now available here. It takes account of the Coalition’s programme, published on 20th May.
The new Government is putting forward a number of proposals for disclosing public sector information on a regular and routine basis, rather than on request: for more detail see this posting on the official website for the Prime Minister’s office. On 4th June 2010 the Government disclosed a considerable amount of information from the COINS database (standing for Combined Online Information System) relating to public spending in 2009/10. In total there are thought to be over 3 million separate items of information in the new release. See here for the raw data; and see here for a tool designed by the Guardian, intended to help navigate the newly released information. No doubt the COINS release will lead to a number of follow-up FOIA requests relating to specific items of expenditure; it will be interesting to see how those requests are handled by Government departments.
NEW POLITICS, OR SAME OLD STORY?
May 22nd, 2010 by Timothy Pitt-Payne QCOn 19th May I gave a paper at 11KBW’s Information Law seminar, entitled “Information Law in the new Parliament”. This was a discussion of the new coalition government’s proposals relating to information law. On the following day, “The Coalition: our programme for government” was published, giving a much fuller account of the new Government’s programme.
I am revising my paper to take account of the new document. I will be posting the revised paper here, in the course of next week.
PATIENT DATA SHARING - ARE WE RUNNING OUT OF PATIENCE?
March 26th, 2010 by Anya Proops
The question of the extent to which those working within the national health service should have access to patient data is a difficult one to resolve. On the one hand, permitting widespread access can potentially enable health service provides to provide more efficient, ‘joined up’ health-care to patients. On the other hand, there will always be concerns that too much access increases the risk that patient data, which is obviously sensitive personal data for the purposes of s. 2 of the Data Protection Act 1998, will be misused and/or inadvertently disclosed to third parties. We have seen this debate unfolding not least in respect of the Spine database project which is aimed at achieving a comprehensive centralised database of NHS patient records. The British Medical Association amongst others have alreeady expressed concern that the system is being rolled out too quickly (see further this article from the Guardian earlier this month). Today, reports are surfacing in the media that an NHS Trust in Wales is failing to ensure that proper restrictions are being placed on hospital staff accessing patient data (see further this BBC article which suggests hospital porters, IT staff and administrators have all been permitted access to patient data). This kind of story is only going to fuel concerns that the quest for efficiency in patient treatment requires too high a price to be paid in terms of compromising the privacy rights of patients.
PRIVACY BY DESIGN - NEW OPINION FROM THE EUROPEAN DATA PROTECTION SUPERVISOR
March 24th, 2010 by Anya Proops
The European Data Protection Supervisor last week adopted a new opinion examining the question of how effectively to safeguard data protection and privacy rights in the fast-moving world of information technology. The central thrust of the opinion is that new information technologies themselves need to be developed in a way which protects personal data and privacy, rather than simply being subject to possibly ineffective control policies once they have been developed. This so called ‘privacy by design’ approach to developing new technologies is intended to build public trust in the information society.
THE PERSONAL IS POLITICAL - ACCESSING NICK GRIFFIN TRIAL RECORDS UNDER FOIA
January 23rd, 2010 by Anya ProopsThe Guardian reports today that the CPS has refused a request for disclosure of its records of the 1998 race-hate trial of Nick Griffin. In the year before he was elected leader of the BNP, Mr Griffin was given a suspended prison sentence after being convicted of an offence under the Public Order Act 1986. The prosecution case centred on a magazine edited by Mr Griffin in which he dismissed the Holocaust as a hoax. The Guardian’s article indicates that the paper requested disclosure of the CPS’s records of the trial in circumstances where no transcript had been made of the hearing. It would appear that the request was refused by the CPS under s. 40 FOIA (the personal data exemption) and, in particular, on the basis that a large proportion of the requested information was ‘sensitive personal data’ as it related to the commission of an offence and Mr Griffin’s political opinions (see section 2 of the Data Protection Act 1998). It would appear that the Guardian will now lodge a complaint with the Information Commissioner. For an example of how the Information Tribunal applied s. 40 FOIA to a request for disclosure of personal data about individuals who had been made subject to ASBOs see further Camden v IC EA/2007/21