PATIENT DATA SHARING - ARE WE RUNNING OUT OF PATIENCE?

March 26th, 2010 by Anya Proops

The question of the extent to which those working within the national health service should have access to patient data is a difficult one to resolve. On the one hand, permitting widespread access can potentially enable health service provides to provide more efficient, ‘joined up’ health-care to patients. On the other hand, there will always be concerns that too much access increases the risk that patient data, which is obviously sensitive personal data for the purposes of s. 2 of the Data Protection Act 1998, will be misused and/or inadvertently disclosed to third parties. We have seen this debate unfolding not least in respect of the Spine database project which is aimed at achieving a comprehensive centralised database of NHS patient records. The British Medical Association amongst others have alreeady expressed concern that the system is being rolled out too quickly (see further this article from the Guardian earlier this month). Today, reports are surfacing in the media that an NHS Trust in Wales is failing to ensure that proper restrictions are being placed on hospital staff accessing patient data (see further this BBC article which suggests hospital porters, IT staff and administrators have all been permitted access to patient data). This kind of story is only going to fuel concerns that the quest for efficiency in patient treatment requires too high a price to be paid in terms of compromising the privacy rights of patients.

Tags: , , ,
Posted in Uncategorized | Comments Off

DISCLOSING INFORMATION FOR CHILD PROTECTION PURPOSES - NEW ADMINISTRATIVE COURT JUDGMENT

March 19th, 2010 by Anya Proops

The question of whether and to what extent local authorities can or should share information about individuals thought to pose a risk to children is often a very difficult one to answer in practice. Failure to disclose the information may expose the authority to claims that it has not acted in accordance with its duties to safeguard children’s interests. On the other hand, sharing the information may expose the authority to claims that it has acted in excess of its powers and has otherwise breached the individual’s right to privacy under Article 8 ECHR. In the recent case of H & L v X City Council and Y City Council [2010] EWHC 466 (Admin), the Administrative Court considered this question in a case involving the disclosure of information by a local authority about a severely disabled man (H) who been convicted of indecent assault on a child. In this case, the council had made a variety of disclosures to organisations with which H was involved. It had also adopted a policy of considering on a case by case basis whether it should make disclosure of information relating to H to organisations with which he became involved in the future. In addition, the local authority had a policy of disclosing information to H’s personal care assistants, purportedly to protect any children those carers may bring into contact with H.

In a judgment which recognised the very strong imperative in favour of protecting children’s interests, Judge Langan QC held that the policies of disclosure to organisations with which H was involved constituted a proportionate interference with H’s Article 8 right to privacy and was otherwise lawful. In reaching this conclusion, the judge took into account the fact that the disclosures were fairly guarded in nature; were not made in lurid terms and did not go beyond what was required for the purpose of making a measured communication. The judge similarly held that the policy of notifying other organisations with which H came into contact in future on a case-by-case basis was a reasonable, proportionate and otherwise lawful policy. However, the judge took issue with the authority’s policy of notifying H’s care assistants. He held that this was a disproportionate measure, particularly in view of the facts that: two of the three long-term carers had no children; there was a ‘no children at work’ provision in the relevant employment contracts and, further, the terms of the disclosures would raise suspicions in the minds of the carers which was more grave than H’s past conduct justified. In reaching his conclusions on the various policies adopted by the council, the judge plainly had in mind the recent important Supreme Court judgment in R(L) v Commissioner of Police of the Metropolis [2009] 3 WLR 1056, where the Supreme Court held that it was no longer right to assume that priority must be given to the need to protect the vulnerable over the right to respect for the private life of the individual. What this case perfectly illustrates is the highly fact-sensitive approach which needs to be adopted in any case where the local authority is contemplating sharing information for child protection purposes. Tim Pitt-Payne appeared on behalf of the local authority

Tags: , ,
Posted in Uncategorized | Comments Off

Home Office publishes response to its consultation on communications data

November 16th, 2009 by Robin Hopkins

The Home Office has published a summary of responses to its April 2009 consultation paper on ‘communications data’, i.e. information about a communication that does not include the content of the communication itself. At present, such data is owned by communications service providers and accessed by certain public authorities under disparate statutory powers for the purposes of combating, for example, fraud, terrorism and other serious crime. The government is considering an overhaul so as to bring all communication types (such as web chat) and all relevant service providers (some of whose contractual positions place them beyond the current statutory arrangements) within the system.

 

The attendant tension between individual liberty and public protection is reflected in the 221 responses to this consultation.

 

A substantial minority of respondents objected in principle to any ‘surveillance’ of communications. A majority (albeit a fairly narrow one) agreed that communications data served an important public purpose and that the government should therefore act to maintain the capability of public authorities to make use of this type of information.

 

As to what form this action should take, only one element of the government’s proposed approach was widely welcomed, namely its rejection of a central database for holding all data of this type. Reservations were otherwise expressed about technological feasibility, data security and the proportionality of public authorities’ use of communications data.

 

Nonetheless, such reservations were not deemed forceful or widespread enough to deter the government from its proposed course. A number of respondents’ suggestions have been rejected, including the specifying of categories of data which should not be retained, and the requirement for a magistrate’s authorisation before communications data can be accessed.

The government is also satisfied that the DPA 1998 and RIPA 2000 provide sufficient safeguards against abuse of such data. A legislative review is, however, proposed, to see if a single means of authorised access (through RIPA 2000) would be practicable. Fresh or consolidating legislation appears likely.

Tags: , , , , , ,
Posted in INFORMATION LAW | Comments Off

NHS SPINE - PERMISSION TO DELETE CARE RECORDS

May 27th, 2009 by Anya Proops

The creation of electronic summary patient records which can readily be accessed by medical teams on the NHS broadband computer system, known as the Spine, is one which has met with approval in many quarters. This is unsurprising given the potential health benefits resulting from clinicians being able to access such records. However, this approval has been tempered by concerns that the NHS, in common with other large-scale public authorities, may not be able to maintain appropriate levels of security with respect to this manifestly sensitive personal data. Yesterday the Guardian reported that, following talks between the ICO and Connecting for Health (CfH), the agency responsible for implementing the records scheme, CfH has now yielded to calls for NHS patients be given the right to have their summary care records deleted from the system (although deletion would not occur if the records had already been used, in which case they would be archived for medic-legal reasons). The right to have records deleted will be additional to the right already granted to patients to opt out of the scheme before a record is created for them. CfH’s decision to permit patients to have their record deleted represents a move away from earlier proposals that, where objections were made, the record would simply be ‘masked’ within the system. Notably, the news over changes to the care records scheme comes only days after it was revealed that records revealing personal data relating to tens of thousands of MOD personnel, which were lost last year, had contained not merely financial information but also highly sensitive vetting information. The revelations have been controversial because, whilst the loss was announced last year, neither Parliament nor the ICO were informed that the lost data included sensitive vetting data.

Tags: , , ,
Posted in Uncategorized | Comments Off

Recent conference papers

April 30th, 2009 by Timothy Pitt-Payne QC

On 11 KBW’s main website, you can now find some conference papers delivered this month by members of chambers.

There’s a paper that I gave at a Northumbria University conference.  The theme of the conference was information sharing; my paper is about the new law on breach of confidence (post-Campbell v MGN).

Yesterday, the LGG/11KBW legal update conference took place, with about 115 delegates.  Karen Steyn gave a paper on recent case-law affecting local authorities; the first section is about information law.  I gave a paper about employment vetting.  In discussion, delegates were clearly very interested in getting to grips with the new ISA barring regime.  Questions were raised about its implications for elected members of local authorities, and for volunteers (e.g. parents helping out in schools).  

Another subject  raised in discussion was the recent decision of the Administrative Court in R(G) v Governors of X School and Y City Council.  A music assistant employed at a primary school was dismissed; the allegation was that he had formed an inappropriate relationship with a 15 year old boy who was on work experience at the school.  The school’s disciplinary committee told the employee that they would be reporting the case to the Secretary of State for potential inclusion in “list 99″ (i.e. the statutory list of those banned from working in schools).  The Court quashed the decision because the school had refused to allow legal representation at the dismissal hearing or at a forthcoming appeal.  The disciplinary proceedings, and the referral to the Secretary of State for a potential banning direction, formed part of one and the same proceedings.  Those proceedings were not criminal in nature for the purpose of article 6 of the Convention.  However, their potential consequences were grave; and procedural fairness required the claimant to be allowed legal representation, before both the school’s disciplinary committee and its appeal committee.

Tags: , ,
Posted in INFORMATION LAW | Comments Off

A problem shared is a breach of the DPA?

April 9th, 2009 by Timothy Pitt-Payne QC

It’s a good time for a conference about information sharing.  The data sharing provisions in the Coroners and Justice Bill have been withdrawn, in the face of widespread criticism - including from the Bar Council (for more background, see our previous posts here and here).   The question whether anything will be done to implement last year’s Thomas/Wolpert review remains an open one. 

Against this background, Northumbria University’s conference on 17th April is topical.  Speakers include Richard Thomas (coming to the end of his term as Information Commissioner), Marcus Turle from Field Fisher Waterhouse, and Steve Eccleston from Sheffield City Council.  I shall be delivering a paper about breach of confidence and its significance for information sharing (I will post it on the 11KBW website after the conference).

Tags: ,
Posted in INFORMATION LAW | Comments Off

The Age of Internet Surveillance

April 6th, 2009 by Anya Proops

With effect from today, all UK internet service providers (”ISP”) will be required to retain data relating to every email which is sent and every online telephone call which is made using their services. The data, which must be stored by ISPs for 12 months, will not include the content of the email or the call. It will however include the date, time, duration and routing of the online communication as well as information as to the internet subscriber or user. The obligation to retain this data is imposed under the Data Retention (EC Directive) Regulations 2009 (”the Regulations”). The regulations were enacted in order to bring into effect the provisions of the Data Retention EU Directive 2006/24/EC. The Directive was itself enacted in response to concerns that a lack of consistency of approach to data collection across Europe, particularly in the field of internet communications, was hampering the fight against crime, including international terrorism. The effect of the Regulations, which come into force today, is that the data retention principles which already apply to telecoms providers under the Data Retention (EC Directive) Regulations 2007 will now also apply to internet providers. As well as retaining the communications data, the internet service provider must afford access to particular data where they are required to do so by law (regulation 7). They must also abide by certain principles relating to the protection and security of the data (regulation 6).

Tags: , , , ,
Posted in INFORMATION LAW | Comments Off

A suitable case for recruitment

April 4th, 2009 by Timothy Pitt-Payne QC

 Information law overlaps with employment law in two main ways, in relation to employment vetting and employment monitoring. Broadly speaking vetting is about the enquiries that an employer can make before recruitment, and monitoring is about checking on the performance and behavior of existing employees.

 
The legal framework for employment vetting is changing radically, as the Safeguarding Vulnerable Groups Act 2006 is brought into force. The Act implements the Bichard Report, which followed an inquiry into the notorious 2002 Soham murders. It establishes a new vetting and barring scheme for those working with children or vulnerable adults, to be operated by a statutory body called the Independent Safeguarding Authority (ISA).

 
With effect from 20th January 2009, the ISA was given responsibility for decision-making under the 3 existing employment barring lists: the education list, (popularly known as “List 99″), the PoCA list (for those working with children) and the PoVa list (for those working with vulnerable adults). As from 12th October 2009 these 3 lists will be replaced by two new lists introduced by section 2 of the 2006 Act and maintained by the ISA -  the children’s barred list and the adults’ barred list.  Employers, social services and professional regulators will have a duty to share information with the ISA. From July 2010, new entrants to roles working with vulnerable groups and those switching jobs within the sector will be able to register with the ISA, and employers will be able to check registration status online. The legal requirement for new entrants and those moving jobs to register with the ISA, and for employers to check on their status, will come into force by November 2010. The intention is to bring the whole of the existing workforce into the scheme by 2015.

 
I will be delivering a paper about employment vetting at the Local Government Group conference on 29th April, and the paper will be available on 11KBW’s website after the conference.  For consideration of whether the existing PoVA list is compatible with articles 6 and 8 of the European Convention on Human Rights, see R (ota Wright) v Secretary of State [2009] UKHL 3.  For the timetable for implementing the 2006 Act, see here and here.

Tags: , , , ,
Posted in INFORMATION LAW | Comments Off

Rowntree Report on Database State

March 23rd, 2009 by Anya Proops

The Joseph Rowntree Reform Trust has today published its report ‘The Database State’. The report purports to amount to the most comprehensive map of central government databases yet created. In total 46 databases across the major government departments were considered in the report, including, for example, the national DNA database, the national pupil database, the NHS detailed care record system and the automatic number-plate recognition system. In summary, the report concluded that:

  • a quarter of the 46 databases reviewed were ‘almost certainly illegal under human rights or data protection law; that they should be scrapped or substantially redesigned’ (including, for example, the Contactpoint index of all children in England and the national DNA database - on the latter database, see further the January 2009 post on the Marper case);
  • ‘more than half have significant problems with privacy or effectiveness and could fall foul of a legal challenge’ (including, for example, the NHS Summary Care Record and the National Pupil Database);
  • fewer than 15% were ‘effective, proportionate and necessary with a proper legal basis for any privacy instrusions’;
  • Britain was generally out of line with other developed countries as a result of its comparably greater tendancy to centralise and share records on sensitive matters like healthcare and social services; that ’the benefits claimed for data sharing are often illusory’.

Along with the House of Lords Report on the Surveillance Society published in February 2009 (see further the February 2009 post on the Lords Report), this report is likely to increase pressure on the Government to reexamine a raft of policies on data collection, management and storage.

http://www.jrrt.org.uk/uploads/Database%20State.pdf

Executive Summary:

http://www.jrrt.org.uk/uploads/Database%20State%20-%20Executive%20Summary.pdf

Tags: , , , ,
Posted in Uncategorized | Comments Off

BMA Expresses Concerns about New Data Sharing Powers

February 18th, 2009 by Anya Proops

The Coroners and Justice Bill was introduced in the House of Commons on 14 January 2009. Clause 152 of the Bill provides for the Data Protection Act 1998 to be amended to include a number of new provisions on data sharing. Those provisions include a section which creates a broad general power enabling any ‘designated authority’ to make an ‘information sharing order’, which is to say an order which enables ‘any person to share information which consists of or includes personal data’ (new section 50A(1)). The relevant designated authorities’ are ‘appropriate Ministers’ (i.e. Secretaries of State, the Treasury and Ministers in charge of government departments); Scottish Ministers; Welsh Ministers and a Northern Ireland Department (new section 50A(2)). Whilst these broad powers are subject to a number of limitations including those provided for under new sections 50C, 50A(4) and 50A(6), this has not prevented concerns being expressed as to the potential risks entailed upon these new provisions. Most recently, in an interview with the Guardian (14 February 2009), the British Medical Association’s Chairman, Hamish Meldrum, confirmed that he was ‘extremely concerned’ about these new data sharing powers, not least because they would potentially enable Ministers to allow patient data to be shared not merely within the NHS but also with other ministries and even private companies. Mr Meldrum said that the trust between doctors and patients would be destroyed if the Bill became law as it stands. The new powers embodied in clause 152 of the Coroners and Justice Bill follow in the wake of the development of another significant and controversial data sharing scheme under which the medical records of everyone in England are to be uploaded onto a national database, known as the Spine.

The Bill:

http://www.publications.parliament.uk/pa/cm200809/cmbills/009/2009009.pdf

Guardian Articles:

http://www.guardian.co.uk/technology/2009/feb/14/medical-records-nhs-privacy

http://www.guardian.co.uk/society/2008/sep/18/health.nhs

Tags: , , , ,
Posted in 1 | No Comments »

« Older Entries