Clinical Commissioning Groups’ Sale of Patient Data

Arguably the most significant reform of the Health and Social Care Act 2012  is the introduction of a National Health Service Commissioning Board, which will supervise local primary care clinical commissioning groups. These clinical commissioning groups will replace primary healthcare trusts. Primary healthcare providers, particularly GPs, were always the gatekeepers to the National Health Service, but under the 2012 reforms, they will also be the principal budget holders under these clinical commissioning groups, buying secondary care in a quasi-competitive open market.

Under ss14X and 14Y of the National Health Service Act 2006, following wholesale amendment to that 2006 Act by the Health and Social Care Act 2012, clinical commissioning groups will have separate statutory duties to promote innovation and research. The groups also have a duty to carry out their functions effectively, efficiently and economically (s14Q).

To assist clinical commissioning groups in their extensive duties set out in Part 2 of the 2006 Act, they will have the power to raise income (a new power under s14Z5 of the 2006 Act), by doing anything the Secretary of State can do under ss7(2)(a), (b) and (e) to (h) of the Health and Medicines Act 1998, either alone or with other groups. In particular, s7(2)(f) will permit the groups “to develop and exploit ideas and exploit intellectual property.”

Whilst it may therefore be a stretch to argue that clinical commissioning groups have a duty to exploit the value there may be in patient data, it is clear that to exploit patient data is well within their duties and powers under the 2006 Act. In addition, disclosure of information “made for the purpose of facilitating the exercise of any of the clinical commissioning group’s functions” is explicitly permitted by the 2006 Act (s14Z23(1)(f)).

This only leaves the Data Protection Act 1998 to consider. Could clinical commissioning groups sell patient data under the Data Protection Act 1998, with or without the consent of patients themselves?

This is an interesting question. One answer is that it would be possible. In order to process patient data, the groups would have to meet one of the conditions for processing sensitive personal data (as defined in the Data Protection Act 1998).

It is arguable that there is the statutory basis for selling the data, being to comply with commissioning groups’ statutory duties to promote innovation and research, and to raise income in order to exercise their statutory duties effectively, efficiently and economically. As there is a statutory basis, the selling of patient date could be argued to be “necessary for the exercise of functions conferred by or under statute” – which is one of the conditions for which the processing of sensitive personal data is permitted under the Data Protection Act 1998 (paragraph 7(1)(b) of Schedule 3 of the Data Protection Act 1998). This does not require patients’ consent.

In addition, processing for research purposes is itself a permitted purpose under the Data Protection Act 1998 (paragraph 10 of Schedule 3 of the Data Protection Act 1998, and paragraph 9 of the Schedule to the Data Protection (Processing of Sensitive Personal Data) Order 2000, SI 2000/417); again without patient consent.

Lastly, there is always the ‘medical purposes’ condition of paragraph 8 of Schedule 3 to the Data Protection Act 1998:

8 (1) The processing is necessary for medical purposes and is undertaken by—

(a) a health professional, or

(b) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.

(2) In this paragraph “medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.

Patients’ consent may not strictly be required by law, but under the first (and second) data protection principle, patients will have to be made aware by clinical commissioning groups that their data, in whatever form, for medical research purposes. Patients could try to exercise a stop notice right under s10 of the Data Protection Act 1998, but ‘good luck with that’ is the phrase that immediately springs to mind.

Although it may be lawful for commissioning groups to sell patient data, it may be that best practice will lead to any sale being restricted to Barnardised or anonymised patient data. This may be clarified by the NHS Commissioning Board, which has a responsibility to issue guidance on the processing of patient information under s13S of the 2006 Act, following the abolition of the National Information Governance Board for Health and Social Care in the 2012 Act. ‘Patient information’ in this context is a new term defined at s20A of the Health and Social Care Act 2008, and is broader than a patient’s personal data, as defined under the Data Protection Act 1998, to include any information about a person’s health, diagnosis or care or data derived from that information, whether that information or data identifies an individual or not.

So, a case can be made for saying that commercialisation of patient data may well be a consequence of the Health and Social Care Act 2012. Whether this consequence was unintended or was anticipated is for others to answer.

Saturday Hassan and Human Rights

The case of Saturday Hassan, widely reported in the Daily Telegraph, Daily Main and on BBC Radio 4 Today on 21 December 2012, highlights the confusion that still exists about the interaction between the Data Protection Act 1998, the Freedom of Information Act 2000 and, indirectly, the Human Rights Act 1998.

Saturday Hussan is serving a life sentence for the murder of Darren Deslandes – he was shot dead on New Year’s Eve 2009. Darren’s parents, Wintworth and Lurline Deslandes, want the Home Office to disclose Hussan’s immigration status, so that it can be confirmed that if he is an illegal immigrant or foreign national, he will be deported when he is finally released from jail. It is reported that the Home Office have refused the request, on the grounds of the protection of Hussan’s right to privacy (under Article 8 of the European Convention of Human Rights, incorporated into UK law by the Human Rights Act 1998).

This is an inadequate reason, without further explanation from the Home Office. It may also be wrong at law, but the relevant law is complex. I set out below one way in which the information could be lawfully disclosed, but there are others that would need careful analysis of all the relevant facts.

There are various offences related to immigration under, for example, the Immigration Act 1971. It can therefore be legitimately argued that information concerning Hussan’s immigration status is sensitive personal data under the Data Protection Act 1998, for which higher level of safeguards apply. However, sensitive personal data can be processed for a number of lawful reasons, including for the administration of justice or for the exercise of any functions of a Minister of the Crown or government department. Its disclosure, if for these purposes, would therefore not be a breach of the data protection principles, and so would be permitted under the Freedom of Information Act 2000.

What is covered by the “administration of justice” purposes in the Data Protection Act 1998 has not been judicially determined, but in other cases that have reached the European Court of Human Rights (ECHR) in Strasburg, it has been made clear that the ECHR would consider whether any interference to a citizen’s Article 8 right to privacy was justified. In the terms set out in S and Marper v The United Kingdom [2008] ECHR 30562/04 (a case involving retention of DNA records by the police), the ECHR said:

An interference will be considered “necessary in a democratic society” for a legitimate aim if it answers a “pressing social need” and, in particular, if it is proportionate to the legitimate aim pursued and if the reasons adduced by the national authorities to justify it are “relevant and sufficient”. While it is for the national authorities to make the initial assessment in all these respects, the final evaluation of whether the interference is necessary remains subject to review by the Court for conformity with the requirements of the Convention (see Coster v. the United Kingdom [GC], no. 24876/94, § 104, 18 January 2001, with further references). (paragraph 101)

It is therefore arguable that the Home Office could decide that the Deslandes and other similar indirect victims of crime do have a pressing social need to know whether they are safe from the perpetrator of the relevant crime reappearing on their doorstep. It certainly is not as simple as saying Hussan’s right to privacy trumps every other consideration.

Bureau of Investigative Journalism v Bell Pottinger: a question of standards?

You may have thought that experienced public relations professionals would realise that there is no such thing as a private or “off the record” briefing, but the report last week from the Bureau of Investigative Journalism (BIJ) into the activities and practices of Bell Pottinger (BP) suggests this is not the case.

The BIJ used what is colloquially called a sting by posing as potential clients from a regime with questionable human rights and anti-corruption credentials, to reveal boasts from BP of what it could do in terms of media management and lobbying on behalf of a less desirable client, if that client showed commitment to a reform agenda. The sting included the use of hidden cameras and recording equipment, in what many consider to be tactics close to being entrapment.

The BIJ published its report, including video clips, on its website. The report was picked up by a number of press and broadcast media channels.

The story therefore provides a neat example of the difference in regulation between bloggers/websites, press media and broadcast media. This could not be more topical, as the Leveson Inquiry considers press regulation.

Blogs and websites

Firstly, blogs, bloggers and their websites have little restrictions on what they do or say. Only privacy and libel laws (together with specific legislation such as provisions concerning incitement to racial or religious hatred in the Public Order Act 1986) limit how and what is reported – it is accepted that current libel law as practiced in England and Wales may have a significant chilling effect on free speech, so that this is no trivial “only”. Assuming that there is no libel involved in the BIJ exposé as it merely faithfully reports BP’s own statements, then the question here is the methods used to get those statements. There are no specific laws against the use of surreptitious recording, if the recording does not involve interception of electronic communications within the scope of the Regulation of Investigatory Powers Act 2000 (eg hacking or phone monitoring) or unauthorised access to computers within the scope of prohibitions in the Computer Misuse Act 1990. The Data Protection Act 1998 might have relevance, but then within it is a journalism defence (section 35), which applies when the material processed is intended for any form of publication in the public domain and the publisher reasonably believes the publication is in the public interest. Although it does not say so explicitly, this publication must include blogs and websites.

A person seeking to challenge the publication could complain to the Information Commissioner, who has the power to levy monetary penalties of up to £500,000 for serious breaches of the Data Protection Act 1998, but to date there has not been a case involving a failed section 35 defence. Action in the courts is possible (but expensive), but the level of damages is low – the most publicised case involved Naomi Campbell (Campbell v Mirror Group Newspapers [2002] EWHC 499 (QB), subsequently upheld by the House of Lords [2004] UKHL 22). Although not clearly identified as such, it would seem that her data protection damages amounted to a modest £1,000, out of a total award of £3,500 damages for breach of the Data Protection Act 1998 (damages for distress under section 13) and for breach of confidentiality.

More importantly, for private individuals’ blogs, it is arguable that any processing by them would be within the domestic purposes exemption (section 36), but this does depend upon how the law develops to interpret what are “recreational purposes” within that exemption.

Press media

For press media, there is little legislation above what applies to bloggers. The difference is that there is an increased level of self-imposed regulation, under the Press Complaints Commission (PCC) and its Editors’ Code. Article 10 of the Code states:

10 Clandestine devices and subterfuge
i) The press must not seek to obtain or publish material acquired by using hidden cameras or clandestine listening devices; or by intercepting private or mobile telephone calls, messages or emails; or by the unauthorised removal of documents or photographs; or by accessing digitally-held private information without consent.
ii) Engaging in misrepresentation or subterfuge, including by agents or intermediaries, can generally be justified only in the public interest and then only when the material cannot be obtained by other means.

However, these restrictions can be disregarded in the public interest, if an editor reasonably believed prior to publication that publication or journalistic activity prior to publication was in the public interest. Note that in dealing with any complaint about use of clandestine devices and subterfuge, the PCC can take into account “the extent to which material is already in the public domain, or will become so”. Does this mean that once information obtained by subterfuge is out in the public domain, it is fair game for press media to republish it?

The real question for the Leveson Inquiry is what happens when there has been a breach of the PCC Code. It is widely suggested that the PCC is too ready to find that there is public interest. Even when it finds that there is no public interest to warrant the breach of the Code, it is arguably toothless, so that remedies for the victim are derisory.

Broadcast media

Lastly, what if the BIJ report had been broadcast on the Channel 4 Despatches programme, which appears to take some indirect flack from BP? Channel 4 is subject to the Broadcasting Code, regulated by Ofcom. Section 7 of the Broadcasting Code includes:

Deception, set-ups and ‘wind-up’ calls
7.14 Broadcasters or programme makers should not normally obtain or seek information, audio, pictures or an agreement to contribute through misrepresentation or deception. (Deception includes surreptitious filming or recording.) However:
• it may be warranted to use material obtained through misrepresentation or deception without consent if it is in the public interest and cannot reasonably be obtained by other means;
• where there is no adequate public interest justification, for example some unsolicited wind-up calls or entertainment set-ups, consent should be obtained from the individual and/or organisation concerned before the material is broadcast;
• if the individual and/or organisation is/are not identifiable in the programme then consent for broadcast will not be required;
• material involving celebrities and those in the public eye can be used without consent for broadcast, but it should not be used without a public interest justification if it is likely to result in unjustified public ridicule or personal distress. (Normally, therefore such contributions should be pre-recorded.)

So if a victim of deception complained to Ofcom, would the outcome be as weak as for the PCC?

This is where there is a marked difference between press and broadcast regulation. Whilst the actual regulations may be similar (see the above rules on deception/subterfuge), the penalties for getting it wrong as a broadcaster can be steep. Ofcom can fine up to £250,000 or 5% of a broadcaster’s qualifying annual revenue. The most recent case reported by Ofcom for breach of the fairness rule was a case involving Press TV Limited, who were fined £100,000 on 1 December 2011.

 

What price investigative journalism?

Many questions are being asked about the fourth estate in the aftermath of the News of the World hacking scandal.  However, few seem to considering the potential that reactionary measures adopted as a result of widespread illegality by journalists may make genuine investigative journalism that is conducted in the public interest impossible.  In particular, the Information Commissioner’s 2006 report into the illegal sale of personal data, What Price Privacy?, is getting the attention it should have received 5 years ago. However, the reports of the number of incidences of sale of personal data to journalists fails to note that some of this activity could have been lawful.

There is already an exemption from the scope and reach of the Data Protection Act 1998 to cover genuine journalism. Section 32(1) of the Act states:

(1)  Personal data which are processed only for the special purposes are exempt from any provision to which this subsection relates if—

(a)  the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,

(b)  the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and

(c)  the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes.

“Special purposes” means any one or more of for purposes of journalism, artistic purposes, and literary purposes (Section 3 of the Act).

The main criminal offence being committed by phone hackers under the Data Protection Act 1998 is the unlawful obtaining of individuals’ phone numbers and PINs for voice mail boxes – the actual interception of communications is either an offence under the Regulation of Investigatory Powers Act 2000 or the Computer Misuse Act 1990.  In particular, section 55 of the Act states:

55 Unlawful obtaining etc. of personal data.

(1)  A person must not knowingly or recklessly, without the consent of the data controller—

(a)  obtain or disclose personal data or the information contained in personal data, or

(b)  procure the disclosure to another person of the information contained in personal data.

(2)  Subsection (1) does not apply to a person who shows—

(a)  that the obtaining, disclosing or procuring—

(i)  was necessary for the purpose of preventing or detecting crime, or

(ii)  was required or authorised by or under any enactment, by any rule of law or by the order of a court,

(b)  that he acted in the reasonable belief that he had in law the right to obtain or disclose the data or information or, as the case may be, to procure the disclosure of the information to the other person,

(c)  that he acted in the reasonable belief that he would have had the consent of the data controller if the data controller had known of the obtaining, disclosing or procuring and the circumstances of it, or

(d)  that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest.

(3)  A person who contravenes subsection (1) is guilty of an offence.

(4)  A person who sells personal data is guilty of an offence if he has obtained the data in contravention of subsection (1).

(5)  A person who offers to sell personal data is guilty of an offence if—

(a)  he has obtained the data in contravention of subsection (1), or

(b)  he subsequently obtains the data in contravention of that subsection.

(6)  For the purposes of subsection (5), an advertisement indicating that personal data are or may be for sale is an offer to sell the data.

(7)  Section 1(2) does not apply for the purposes of this section; and for the purposes of subsections (4) to (6), “personal data” includes information extracted from personal data.

(8)  References in this section to personal data do not include references to personal data which by virtue of section 28 or 33A are exempt from this section.

It is therefore clear that there is a public interest defence to the section 55 criminal offence, at section 55(2)(d), that would enable the techniques being used by News of the World and others to continue to be used for legitimate investigative journalism.

When it comes to interception of communications, which is an offence under section 1 of the Regulation of Investigatory Powers Act 2000, there are a complex set of exemptions both in the Act itself (at section 3) and under the Telecommunications (Interception)(Lawful Business Practices) Regulations 2000.  I therefore have some sympathy with investigative journalists in that there does not appear to be a simple public interest defence open to them to be able to intercept communications lawfully. Similarly, if accessing voice mail boxes were considered to be computer misuse under the Computer Misuse Act 1990, there is no public interest defence under the 1990 Act.

I therefore consider that in any consideration of greater regulation of the press, consideration should be given to providing for public interest defences for the purposes of journalism in the 1990 and 2000 Acts. I also agree that the maximum penalty of £5,000 for a breach of section 55 is lamentable. It was in 2006, it clearly is in 2011.

DoJ, Wikileaks and Twitter: Stones and Glasshouses

There seems to be a degree of outrage on many social media channels about the Department of Justice in the United States obtaining a court order to require the US-based social media platform Twitter, and possible Facebook and Google as well, to reveal account information about certain users who are alleged to be involved with Wikileaks. There should be no doubt amongst UK social media commentators or users that the law in the UK is more generous to government authorities than anything in the US.

US Law

The court order against Twitter was made under 18 USC §2703(d), which is an order made on application to a magistrate judge (and not a subpoena, as is being widely reported). These orders can only be granted where it is shown by the applicant government entity that there are reasonable grounds for believing that the information it will obtain from the respondent communications providers will be relevant and material to an ongoing criminal investigation. Whilst we are not experts in US law, we believe that orders under 18 USC §2703(d) enable the government entity making the application to obtain what we in the UK would call the communications data (see below) for a particular account from a respondent communications provider and details about the subscriber or customer for that account. The contents of any communication can only be demanded if they are over 180 days old, otherwise another criminal evidence procedure is required. As far as we are aware, in the US there is no federal statutory obligation on communications providers to retain communications data, but 18 USC §2703(f) does provide for data preservation orders.

UK Law

This post explains the relevant UK law, which shows that not only can similar communications data to the Twitter account information sought by the Department of Justice be obtained by government entities in the UK from UK communications providers, but that information can be demanded for much broader purposes than in connection with an ongoing criminal investigation. 

In the Regulation of Investigatory Powers Act 2000 (“RIPA”), “communications data” is defined as being (section 21(4) of RIPA):

(a)  any traffic data comprised in or attached to a communication (whether by the sender or otherwise) for the purposes of any postal service or telecommunication system by means of which it is being or may be transmitted;

(b)  any information which includes none of the contents of a communication (apart from any information falling within paragraph (a)) and is about the use made by any person—

(i)  of any postal service or telecommunications service; or

(ii)  in connection with the provision to or use by any person of any telecommunications service, of any part of a telecommunication system;

(c)  any information not falling within paragraph (a) or (b) that is held or obtained, in relation to persons to whom he provides the service, by a person providing a postal service or telecommunications service.

Whilst it is unclear to what extent communications data under RIPA includes web page or other internet usage data, the definition of traffic data was carefully drafted to exclude web page information (rider at s.21(6)).

Whilst communications providers had no standing obligation to retain data under RIPA, a designated person (as defined in sections 25(1) and (2)) may require any telecommunications operator of a telecommunications system that is “in possession of, or be capable of obtaining, any communications data” to obtain that data, if not already in the operator’s possession, and disclose it (section 22(4)).  However, the grounds under RIPA upon which communications data can be ordered to be obtained are the most extensive in any UK legislation.  They include, for example, matters such as “for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department” (section 22(2)(f)).  The original purposes have also been extended by the Regulation of Investigatory Powers (Communications Data) (Additional Functions and Amendment) Order 2006 (all these purposes together being the “RIPA Purposes”).

The scope of these RIPA Purposes was addressed in the Home Office Acquisition and Disclosure of Communications Code of Practice, which came into effect on 1 October 2007 (the “RIPA Code”). The RIPA Code seeks to emphasis that any action by a designated person or a person authorised by them is “necessary and proportionate” (see paragraphs 2.1, 3.5, 3.7, 3.31 and 3.48). However, it does not contain much in the way of guidance on how a designated person is to assess what is “necessary and proportionate”.

Any notice given by the delegated person to a communications provider is only valid for a maximum of one month (section 23(4)), but it would appear that under RIPA the acquisition period for the relevant communications data which is the subject of the notice, can be unlimited.  The RIPA Code states that any notice must give the start date and end date for the acquisition of data, but with limits on future end dates, so that where a notice relates to the acquisition of communications data that will or may be generated in the future, the future period is restricted to no more than one month from the notice date (paragraph 3.44).

In practice government entities in the UK do not have to consider seeking an order under section 22 of RIPA to preserve communications data, as the UK has for a number of years implemented a data retention regime.  Communications providers in the UK are required to retain communications data under the Data Retention (EC Directive) Regulations 2009 (the “Data Retention Regulations”), which implement Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 (the “Data Retention Directive”) on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks. The Regulations do not set out the purposes for data retention, but it is stated in the Data Retention Directive that the intention is to “ensure that the data is available for the purposes of the investigation, detection and prosecution of serious crime” (Art.1(1))(the “Data Retention Directive Purposes”)(emphasis added).

In the Data Retention Regulations “communications data” is defined as being “traffic data and location data and related data necessary to identify the subscriber or user”.  Traffic data means “data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing in respect of that communication and includes data relating to the routing, duration or time of a communication”(Regulation 2).  This definition is slightly different from that set out at section 21(4) of RIPA)(see above); the most clear differences are that in RIPA location data is expressly included and defined (at sections 21(6) and (7)), and the more broad definition of traffic data.  In particular, the definition of traffic data in the Data Retention Regulations does not exclude from the definition of traffic data, data to the level of web page information.

Under the Data Retention Regulations public communications providers are required to retain the communications data set out in Regulation 4 and the Schedule.  This is generally data necessary to: (a) to trace and identify the source of a communication; (b) to identify the destination of a communication; (c) to identify the date, time and duration of a communication; (d) to identify the type of communication; or (e) to identify users’ communication equipment (or what purports to be their equipment).  The retention period for all communications data retained under is twelve (12) months (Regulation 5).  The Data Retention Regulations do not include an access regime for any retained communications data, but merely state that access may only be obtained only in specific cases and as permitted or required by law (Regulation 7).

Other Relevant Legislation

Data Protection Act 1998

The Data Protection Act 1998 (“DPA”) fifth data protection principle (at paragraph 5 of Part I of Schedule 1) provides that personal data shall not be retained than is necessary for the specified and lawful purpose(s) of the data controller.  Consequently, communications providers ought to state in any fair processing notice made available to their customers that communications data is being retained as required by the Regulations and may be disclosed to public authorities permitted to access the communications data under RIPA, even though most of this processing will be subject from the subject information provisions (as defined at section 27(2) of the DPA) under an exemption in Part IV of the DPA (section 28 (National security) and section 29 (Crime and taxation) being the most obvious).

Communications providers will be relying, in most cases, on the lawful purpose set out in paragraph 5 of Schedule 2 of the DPA (processing necessary for the administration of justice, to carry out statutory functions or functions of the Crown, a Minister of the Crown or a government department or for “the exercise of any other functions of a public nature exercised in the public interest by any person”), or, where the communications data contains sensitive personal data, on the purposes set out at paragraph 7 of Schedule 3 of the DPA (as paragraph 5 of Schedule 2, except without the ‘functions of a public nature exercised in the public interest’ purpose).

Human Rights Act 1998

Article 8(2) of the European Convention of Human Rights (the “Convention”), incorporated into UK law by the Human Rights Act 1998 (“HRA”), provides that “there shall be no interference by a public authority with the exercise of this [Article 8 privacy] right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.” (the “Art 8(2) Purposes”).

The principle of retention of communications data for the Data Retention Directive Purposes, which are narrower than the Art 8(2) Purposes, is therefore lawful under the Convention and the HRA. What is open to question is the lawfulness of any of the Data Retention Regulations’ retention periods and the interference with data subjects’ rights to privacy where retention (and access) is carried out for RIPA Purposes that go beyond those set out at Article 8(2).

[We found the post “Thoughts on the DOJ wikileaks/twitter court order” by Christopher Soghoian on his slight paranoia blog interesting – and useful to confirm our understanding of 18 USC § 2703.]