Medhi Hasan, the Daily Mail and the lack of Data Protection Act remedies

On the Friday, 3 October 2013 edition of the BBC programme “Question Time”, Mehdi Hasan (left), a journalist for the Huffington Post, criticised the Daily Mail (video here). Subsequently, the Daily Mail published details of an application letter Mehdi Hasan had written to the paper for a journalist position, suggesting that Mehdi had not always been so critical.

Was this publication in breach of the Data Protection Act 1998?

Firstly, if the Daily Mail had the personal information about Mehdi Hasan legitimately, then there is a journalism exemption under section 32 of the Act that would enable the paper to publish non-sensitive personal data for journalistic purposes.

The more interesting question is, “Was the personal data on Mehdi Hasan being processed (stored) by the Daily Mail legitimately prior to it having any journalistic purpose?” Note that the application letter was sent in July 2010, over 3 years ago.

On the facts in the public domain, the most likely answer to this question is, “No”.

The reason is that under the Data Protection Act 1998, personal data can only be retained by a data controller (data owner) for as long as it is required for a particular business purpose or purposes (see Data Protection Principles 2 and 5). Arguably, once a job applicant has been rejected, there is no further business purpose justifying retaining that applicant’s personal data. Claims arising out of discrimination or other employment-related claims as a result of unlawful handling of a person’s application for employment must be made within 6 months of the event giving rise to a claim. This is therefore the standard retention period for personal data concerning unsuccessful applicants. However, where an applicant has agreed upon request by the potential employer that his or her details can be retained on file for consideration for other positions, then clearly this 6 months period can be extended.

The 6 months retention rule is not laid down in any law or regulation. This is derived from the limitation period for bringing claims in the Employment Tribunal and the guidance on retention of applicants’ details set out in the Information Commissioner’s Employment Practices Code (see the ICO employment webpage for links). Where a data controller has a legitimate business purpose for retaining that information, then as well as communicating that purpose to the applicant, the applicant’s information data can be retained for as long as is necessary for that purpose. It is difficult, however, to see under what circumstances information about unsuccessful job applicants needs to be retained for over 3 years by a prospective employer.

However, the real issue here is that even if the publication of details of Mehdi Hasan’s application letter were in breach of the Data Protection Act 1998, Mehdi would have no effective remedy under the Data Protection Act 1998, unless he suffered actual loss or damage, in which case he could sue for these losses or damages, together with damages for distress (as the breach arguably involved a breach of the journalism ‘special purpose’ provisions). It is unlikely that Mehdi suffered any loss or damage, but merely embarrassment.

Publish and be damned? Commercial bloggers.

Guido Fawkes (Gunpowder Plot)

In my first post on the draft Royal Charter for Self-Regulation of the Press (the “Royal Charter”) and amendments tabled for consideration in the Crime and Courts Bill (the “Amendments”) published on Monday, 18 March 2013, I stated that as a private blogger, they would not worry or concern me.

What about commercial blogs and bloggers?

The Royal Charter definition of “relevant publisher” makes no distinction between personal or commercial blogs. It catches any blog which publishes news-related material. This includes publishers based outside of the UK, if it is determined that the news-related material on the blog is directed at the UK. For example, Global and General Nominees Ltd, the St Kitts and Nevis publisher of the Guido Fawkes blog, must be considered to be a relevant publisher for the purposes of the Royal Charter.

However, if an offshore relevant publisher chose not to sign up to a recognised/approved regulator, what would be the effect? In other words, what is the risk to Guido Fawkes of joining the Spectator and Private Eye in ignoring the Royal Charter?

The heavy-handed Amendments attempt to penalise relevant publishers for not submitting to the jurisdiction of a recognised/approved regulator by permitting the courts to award exemplary damages against them and make adverse costs orders, in respect of certain claims (defined as “Relevant Claims”: civil claims for libel, slander, breach of confidence, misuse of private information, malicious falsehood and harassment).

Note that the definition of “relevant publisher” in the Amendments is different.

NC29 of the Amendments’ definition for “relevant publisher” catches a person who, in the course of business (whether or not carried on with a view to profit), publishes news-related material. The first obvious question is what, in the context of the Crime and Courts Bill, does “in the course of business” mean? It’s anyone’s guess, but going by the old favourite of the plain, ordinary meaning of the words, I’d suggest that any website or blog that is published by a commercial entity or charity will be caught. This will catch many political current affairs blogs, such as LabourList, PoliticsHome and ConservativeHome. The grey area will be personal blogs that also carry advertising – will these be sufficiently commercial to be “in the course of business”?

Taking the two definitions into account, I’d say the Guido Fawkes blog was a relevant publisher for both the Royal Charter and the Amendments and so was caught by them. So what?

For the threat of exemplary damages and adverse costs orders under the Amendments to have any effect on overseas commercial blogs, in order to persuade them to volunteer to be subject to a recognised press regulator under the Royal Charter, the blogs would have to be convinced that claimants could successfully bring a Relevant Claim against them.  This would require Relevant Claim claimants to get leave to serve a claim outside of the relevant jurisdiction (see Civil Procedure Rules Part 6 and relevant Practice Directions 6B), to get a default judgement, assuming the blog publishers ignore the claimants’ served claims (Part 12 and Practice Direction 12) and obtain orders to enforce any judgments (eg stop orders? Part 73 and Practice Direction 73). All tricky steps – good luck with that for a claimant who is a normal person of usual means.

I suspect that many overseas commercial blogs, Guido Fawkes amongst them, will not be sufficiently worried by the Amendments regime to rush into the arms of a Royal Charter recognised press regulator.

Publish and be damned? Not bloggers.

It is always a joy to see the executive at work. Yesterday saw the publication of a rushed draft Royal Charter for Self-Regulation of the Press (the “Royal Charter”). At the same time, a set of amendments were scrambled together and tabled for consideration in the Crime and Courts Bill (the “Amendments”).

You can tell there was not much careful reflection on the effect of the combined documents simply by seeing the confusion that abounds. This being a lawyer’s blog, I am interested in the misaligned definitions of “relevant publisher”.

It must be uncontroversial to state that the Royal Charter, whether by accident or design, will catch self-hosted blogs that comment on current affairs or politics. Schedule 4(1) includes:

b) “relevant publisher” means a person (other than a broadcaster) who publishes in the United Kingdom:

i. a newspaper or magazine containing news-related material, or

ii. a website containing news-related material (whether or not related to a newspaper or magazine);

d) a person “publishes in the United Kingdom” if the publication takes place in the United Kingdom or is targeted primarily at an audience in the United Kingdom;

e) “news-related material” means:

i. news or information about current affairs;

ii. opinion about matters relating to the news or current affairs;; or

iii. gossip about celebrities, other public figures or other persons in the news.

There is some potential confusion in what is meant by a website. This blog is hosted and comes under the domain of WordPress. Is this my website or does it belong to WordPress, for the purposes of the “relevant publisher” definition? The blog is aimed at an audience in the UK; is the website hosting it? If I hosted the blog on my own domain, even using WordPress software, then it is clearer that I would be a “relevant publisher”.

So what? Firstly, the Royal Charter is all about setting up a recognition panel for regulators of relevant publishers. Sure, these regulators must have their own standard codes, and in order to be recognised must have an arbitration process for complainants and relevant publishers, an enforcement mechanism (with fines of up to 1% turnover to a maximum of £1 million for breaches of standard codes) and the ability to direct corrections and apologies. However, nothing in the Royal Charter would require me, as a blogger who is a “relevant publisher”, to subject myself to the jurisdiction of a recognised regulator. I can choose to stay unregulated.

Any reports that as a blogger I could be fined up to £1 million are therefore wide of the mark.

What about the Amendments? These are, in essence, an indirect method of getting relevant publishers to sign up to a recognised regulator – in the terminology of the Amendments, an approved regulator. If relevant publishers fail to sign up, then they risk being subject to an award of exemplary damages in certain defined causes of action (see the definition of “Relevant Claims”: civil claims for libel, slander, breach of confidence, misuse of private information, malicious falsehood and harassment), if the claimant is successful against them. If I were a relevant publisher blogger caught by the Royal Charter, should I be worried?

No.

This is because in the Amendment, “relevant publisher” is given a different definition:

NC29

(1) In sections [Awards of exemplary damages] to [Awards of costs], “relevant publisher” means a person who, in the course of a business (whether or not carried on with a view to profit), publishes news-related material—

(a) which is written by different authors, and

(b) which is to any extent subject to editorial control.

This is subject to subsections (5) and (6).

(2) News-related material is “subject to editorial control” if there is a person (whether or not the publisher of the material) who has editorial or equivalent responsibility for—

(a) the content of the material,

(b) how the material is to be presented, and

(c) the decision to publish it.

(3) A person who is the operator of a website is not to be taken as having editorial or equivalent responsibility for the decision to publish any material on the site, or for content of the material, if the person did not post the material on the site.

(4) The fact that the operator of the website may moderate statements posted on it by others does not matter for the purposes of subsection (3).

News-related material has the same meaning in the Amendments as in the Royal Charter. It is also made clear in the Amendments that a reference to “publication” of material is a reference to publication on a website, in hard copy, or by any other means.

So for the purposes of the Amendments and the threat of exemplary damages, I would not be a relevant publisher, whether this blog was hosted by WordPress or self-hosted. WordPress would also not be a relevant publisher for a WordPress-hosted blog (no editorial control).

So as a blogger, I will not lose any sleep over the Royal Charter or the Amendments as they stand today.

[The image is of Harriette Wilson, courtesan to, amongst others, the Duke of Wellington. On being threatened that she would publish her memoirs, he is reported to have said, “Publish and be damned.”]

Clinical Commissioning Groups’ Sale of Patient Data

Arguably the most significant reform of the Health and Social Care Act 2012  is the introduction of a National Health Service Commissioning Board, which will supervise local primary care clinical commissioning groups. These clinical commissioning groups will replace primary healthcare trusts. Primary healthcare providers, particularly GPs, were always the gatekeepers to the National Health Service, but under the 2012 reforms, they will also be the principal budget holders under these clinical commissioning groups, buying secondary care in a quasi-competitive open market.

Under ss14X and 14Y of the National Health Service Act 2006, following wholesale amendment to that 2006 Act by the Health and Social Care Act 2012, clinical commissioning groups will have separate statutory duties to promote innovation and research. The groups also have a duty to carry out their functions effectively, efficiently and economically (s14Q).

To assist clinical commissioning groups in their extensive duties set out in Part 2 of the 2006 Act, they will have the power to raise income (a new power under s14Z5 of the 2006 Act), by doing anything the Secretary of State can do under ss7(2)(a), (b) and (e) to (h) of the Health and Medicines Act 1998, either alone or with other groups. In particular, s7(2)(f) will permit the groups “to develop and exploit ideas and exploit intellectual property.”

Whilst it may therefore be a stretch to argue that clinical commissioning groups have a duty to exploit the value there may be in patient data, it is clear that to exploit patient data is well within their duties and powers under the 2006 Act. In addition, disclosure of information “made for the purpose of facilitating the exercise of any of the clinical commissioning group’s functions” is explicitly permitted by the 2006 Act (s14Z23(1)(f)).

This only leaves the Data Protection Act 1998 to consider. Could clinical commissioning groups sell patient data under the Data Protection Act 1998, with or without the consent of patients themselves?

This is an interesting question. One answer is that it would be possible. In order to process patient data, the groups would have to meet one of the conditions for processing sensitive personal data (as defined in the Data Protection Act 1998).

It is arguable that there is the statutory basis for selling the data, being to comply with commissioning groups’ statutory duties to promote innovation and research, and to raise income in order to exercise their statutory duties effectively, efficiently and economically. As there is a statutory basis, the selling of patient date could be argued to be “necessary for the exercise of functions conferred by or under statute” – which is one of the conditions for which the processing of sensitive personal data is permitted under the Data Protection Act 1998 (paragraph 7(1)(b) of Schedule 3 of the Data Protection Act 1998). This does not require patients’ consent.

In addition, processing for research purposes is itself a permitted purpose under the Data Protection Act 1998 (paragraph 10 of Schedule 3 of the Data Protection Act 1998, and paragraph 9 of the Schedule to the Data Protection (Processing of Sensitive Personal Data) Order 2000, SI 2000/417); again without patient consent.

Lastly, there is always the ‘medical purposes’ condition of paragraph 8 of Schedule 3 to the Data Protection Act 1998:

8 (1) The processing is necessary for medical purposes and is undertaken by—

(a) a health professional, or

(b) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.

(2) In this paragraph “medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.

Patients’ consent may not strictly be required by law, but under the first (and second) data protection principle, patients will have to be made aware by clinical commissioning groups that their data, in whatever form, for medical research purposes. Patients could try to exercise a stop notice right under s10 of the Data Protection Act 1998, but ‘good luck with that’ is the phrase that immediately springs to mind.

Although it may be lawful for commissioning groups to sell patient data, it may be that best practice will lead to any sale being restricted to Barnardised or anonymised patient data. This may be clarified by the NHS Commissioning Board, which has a responsibility to issue guidance on the processing of patient information under s13S of the 2006 Act, following the abolition of the National Information Governance Board for Health and Social Care in the 2012 Act. ‘Patient information’ in this context is a new term defined at s20A of the Health and Social Care Act 2008, and is broader than a patient’s personal data, as defined under the Data Protection Act 1998, to include any information about a person’s health, diagnosis or care or data derived from that information, whether that information or data identifies an individual or not.

So, a case can be made for saying that commercialisation of patient data may well be a consequence of the Health and Social Care Act 2012. Whether this consequence was unintended or was anticipated is for others to answer.

Twitter, Google and EU Privacy

EU Commission Data Protection Reform logo

At the end of February is was reported that Twitter was selling off old tweets to marketing companies. Google also, with effect from 1 March 2012, changed its privacy policy for all of its services. These include YouTube, Gmail and Blogger as well as the ubiquitous search engine. In neither case were users’ consents obtained for the transaction or changes. This raises a number of privacy and data protection issues. In Google’s case the EU Justice Commissioner, Viviane Reding, has gone on record saying “transparency rules have not been applied”. The French data protection authority, the CNIL, launched a European-wide investigation into the Google policy changes.

I predict that there will be more of these announcements and privacy policy tweaks during the coming months. Companies with large banks of users’ or customers’ data from the European Union have a small window of opportunity to commercialise that data before the implementation of a new European Union data protection regulation. The draft of this regulation was published by the EU Justice Commission on 25 January 2012. In its current draft form, the regulation will begin to apply 2 years from the date it comes into force. No national laws are required to bring an EU regulation into effect in a member state.

Companies will therefore have 2 years in which to rely on the more relaxed rules included in the Data Protection Directive 95/46/EC. In particular, some processing that can be conducted without the consent of individuals, where these are new uses of the individuals’ data which are in the “legitimate interests pursued by [the company] or by the third party or parties to whom the data are disclosed”, will become much more difficult, if not impossible.

The whole nature of consent is properly addressed in the draft regulation. In the Directive, data can be processed where there is unambiguous consent. In the UK implementation of the Directive, the Data Protection Act 1998, is has always been possible to obtain consent indirectly for data that is not “sensitive personal data”. Whilst this has been one of a number of long-standing issues between the European Commission and the UK on data protection, there is a new provision in the draft regulation that will address valid consent. Of particular interest in cases such as Google, which is a dominant operator in the search engine services market, is the draft provision that states “consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the [company]”.

This goes back to another of the significant changes in the draft regulation. In the Directive there is a basic provision that personal data must be “processed fairly and lawfully”. In the regulation, the equivalent provision is “processed lawfully, fairly and in a transparent manner in relation to the data subject”. Expect some interesting arguments about transparency in the coming months – perhaps these have already started, given Viviane Reding’s comments on the Google changes.

To make matters even more interesting, the draft regulation gives consumer bodies the standing to be able to complain to a supervisory authority about data protection breaches on behalf of individuals. Super-complaints, as they are known in competition law, will up the ante for regulators – easy for the Information Commissioner to downplay an individual’s complaint; less easy to ignore a complaint from a body such as Which? or the National Consumer Council?

Lastly, the draft regulation includes new powers for supervisory authorities, including the power to fine enterprises, in the worst cases, up to 2% of their annual worldwide turnover. That ought to grab the attention of companies like Google and Twitter.