Clinical Commissioning Groups’ Sale of Patient Data

Arguably the most significant reform of the Health and Social Care Act 2012  is the introduction of a National Health Service Commissioning Board, which will supervise local primary care clinical commissioning groups. These clinical commissioning groups will replace primary healthcare trusts. Primary healthcare providers, particularly GPs, were always the gatekeepers to the National Health Service, but under the 2012 reforms, they will also be the principal budget holders under these clinical commissioning groups, buying secondary care in a quasi-competitive open market.

Under ss14X and 14Y of the National Health Service Act 2006, following wholesale amendment to that 2006 Act by the Health and Social Care Act 2012, clinical commissioning groups will have separate statutory duties to promote innovation and research. The groups also have a duty to carry out their functions effectively, efficiently and economically (s14Q).

To assist clinical commissioning groups in their extensive duties set out in Part 2 of the 2006 Act, they will have the power to raise income (a new power under s14Z5 of the 2006 Act), by doing anything the Secretary of State can do under ss7(2)(a), (b) and (e) to (h) of the Health and Medicines Act 1998, either alone or with other groups. In particular, s7(2)(f) will permit the groups “to develop and exploit ideas and exploit intellectual property.”

Whilst it may therefore be a stretch to argue that clinical commissioning groups have a duty to exploit the value there may be in patient data, it is clear that to exploit patient data is well within their duties and powers under the 2006 Act. In addition, disclosure of information “made for the purpose of facilitating the exercise of any of the clinical commissioning group’s functions” is explicitly permitted by the 2006 Act (s14Z23(1)(f)).

This only leaves the Data Protection Act 1998 to consider. Could clinical commissioning groups sell patient data under the Data Protection Act 1998, with or without the consent of patients themselves?

This is an interesting question. One answer is that it would be possible. In order to process patient data, the groups would have to meet one of the conditions for processing sensitive personal data (as defined in the Data Protection Act 1998).

It is arguable that there is the statutory basis for selling the data, being to comply with commissioning groups’ statutory duties to promote innovation and research, and to raise income in order to exercise their statutory duties effectively, efficiently and economically. As there is a statutory basis, the selling of patient date could be argued to be “necessary for the exercise of functions conferred by or under statute” – which is one of the conditions for which the processing of sensitive personal data is permitted under the Data Protection Act 1998 (paragraph 7(1)(b) of Schedule 3 of the Data Protection Act 1998). This does not require patients’ consent.

In addition, processing for research purposes is itself a permitted purpose under the Data Protection Act 1998 (paragraph 10 of Schedule 3 of the Data Protection Act 1998, and paragraph 9 of the Schedule to the Data Protection (Processing of Sensitive Personal Data) Order 2000, SI 2000/417); again without patient consent.

Lastly, there is always the ‘medical purposes’ condition of paragraph 8 of Schedule 3 to the Data Protection Act 1998:

8 (1) The processing is necessary for medical purposes and is undertaken by—

(a) a health professional, or

(b) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.

(2) In this paragraph “medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.

Patients’ consent may not strictly be required by law, but under the first (and second) data protection principle, patients will have to be made aware by clinical commissioning groups that their data, in whatever form, for medical research purposes. Patients could try to exercise a stop notice right under s10 of the Data Protection Act 1998, but ‘good luck with that’ is the phrase that immediately springs to mind.

Although it may be lawful for commissioning groups to sell patient data, it may be that best practice will lead to any sale being restricted to Barnardised or anonymised patient data. This may be clarified by the NHS Commissioning Board, which has a responsibility to issue guidance on the processing of patient information under s13S of the 2006 Act, following the abolition of the National Information Governance Board for Health and Social Care in the 2012 Act. ‘Patient information’ in this context is a new term defined at s20A of the Health and Social Care Act 2008, and is broader than a patient’s personal data, as defined under the Data Protection Act 1998, to include any information about a person’s health, diagnosis or care or data derived from that information, whether that information or data identifies an individual or not.

So, a case can be made for saying that commercialisation of patient data may well be a consequence of the Health and Social Care Act 2012. Whether this consequence was unintended or was anticipated is for others to answer.

Advertisements

Bureau of Investigative Journalism v Bell Pottinger: a question of standards?

You may have thought that experienced public relations professionals would realise that there is no such thing as a private or “off the record” briefing, but the report last week from the Bureau of Investigative Journalism (BIJ) into the activities and practices of Bell Pottinger (BP) suggests this is not the case.

The BIJ used what is colloquially called a sting by posing as potential clients from a regime with questionable human rights and anti-corruption credentials, to reveal boasts from BP of what it could do in terms of media management and lobbying on behalf of a less desirable client, if that client showed commitment to a reform agenda. The sting included the use of hidden cameras and recording equipment, in what many consider to be tactics close to being entrapment.

The BIJ published its report, including video clips, on its website. The report was picked up by a number of press and broadcast media channels.

The story therefore provides a neat example of the difference in regulation between bloggers/websites, press media and broadcast media. This could not be more topical, as the Leveson Inquiry considers press regulation.

Blogs and websites

Firstly, blogs, bloggers and their websites have little restrictions on what they do or say. Only privacy and libel laws (together with specific legislation such as provisions concerning incitement to racial or religious hatred in the Public Order Act 1986) limit how and what is reported – it is accepted that current libel law as practiced in England and Wales may have a significant chilling effect on free speech, so that this is no trivial “only”. Assuming that there is no libel involved in the BIJ exposé as it merely faithfully reports BP’s own statements, then the question here is the methods used to get those statements. There are no specific laws against the use of surreptitious recording, if the recording does not involve interception of electronic communications within the scope of the Regulation of Investigatory Powers Act 2000 (eg hacking or phone monitoring) or unauthorised access to computers within the scope of prohibitions in the Computer Misuse Act 1990. The Data Protection Act 1998 might have relevance, but then within it is a journalism defence (section 35), which applies when the material processed is intended for any form of publication in the public domain and the publisher reasonably believes the publication is in the public interest. Although it does not say so explicitly, this publication must include blogs and websites.

A person seeking to challenge the publication could complain to the Information Commissioner, who has the power to levy monetary penalties of up to £500,000 for serious breaches of the Data Protection Act 1998, but to date there has not been a case involving a failed section 35 defence. Action in the courts is possible (but expensive), but the level of damages is low – the most publicised case involved Naomi Campbell (Campbell v Mirror Group Newspapers [2002] EWHC 499 (QB), subsequently upheld by the House of Lords [2004] UKHL 22). Although not clearly identified as such, it would seem that her data protection damages amounted to a modest £1,000, out of a total award of £3,500 damages for breach of the Data Protection Act 1998 (damages for distress under section 13) and for breach of confidentiality.

More importantly, for private individuals’ blogs, it is arguable that any processing by them would be within the domestic purposes exemption (section 36), but this does depend upon how the law develops to interpret what are “recreational purposes” within that exemption.

Press media

For press media, there is little legislation above what applies to bloggers. The difference is that there is an increased level of self-imposed regulation, under the Press Complaints Commission (PCC) and its Editors’ Code. Article 10 of the Code states:

10 Clandestine devices and subterfuge
i) The press must not seek to obtain or publish material acquired by using hidden cameras or clandestine listening devices; or by intercepting private or mobile telephone calls, messages or emails; or by the unauthorised removal of documents or photographs; or by accessing digitally-held private information without consent.
ii) Engaging in misrepresentation or subterfuge, including by agents or intermediaries, can generally be justified only in the public interest and then only when the material cannot be obtained by other means.

However, these restrictions can be disregarded in the public interest, if an editor reasonably believed prior to publication that publication or journalistic activity prior to publication was in the public interest. Note that in dealing with any complaint about use of clandestine devices and subterfuge, the PCC can take into account “the extent to which material is already in the public domain, or will become so”. Does this mean that once information obtained by subterfuge is out in the public domain, it is fair game for press media to republish it?

The real question for the Leveson Inquiry is what happens when there has been a breach of the PCC Code. It is widely suggested that the PCC is too ready to find that there is public interest. Even when it finds that there is no public interest to warrant the breach of the Code, it is arguably toothless, so that remedies for the victim are derisory.

Broadcast media

Lastly, what if the BIJ report had been broadcast on the Channel 4 Despatches programme, which appears to take some indirect flack from BP? Channel 4 is subject to the Broadcasting Code, regulated by Ofcom. Section 7 of the Broadcasting Code includes:

Deception, set-ups and ‘wind-up’ calls
7.14 Broadcasters or programme makers should not normally obtain or seek information, audio, pictures or an agreement to contribute through misrepresentation or deception. (Deception includes surreptitious filming or recording.) However:
• it may be warranted to use material obtained through misrepresentation or deception without consent if it is in the public interest and cannot reasonably be obtained by other means;
• where there is no adequate public interest justification, for example some unsolicited wind-up calls or entertainment set-ups, consent should be obtained from the individual and/or organisation concerned before the material is broadcast;
• if the individual and/or organisation is/are not identifiable in the programme then consent for broadcast will not be required;
• material involving celebrities and those in the public eye can be used without consent for broadcast, but it should not be used without a public interest justification if it is likely to result in unjustified public ridicule or personal distress. (Normally, therefore such contributions should be pre-recorded.)

So if a victim of deception complained to Ofcom, would the outcome be as weak as for the PCC?

This is where there is a marked difference between press and broadcast regulation. Whilst the actual regulations may be similar (see the above rules on deception/subterfuge), the penalties for getting it wrong as a broadcaster can be steep. Ofcom can fine up to £250,000 or 5% of a broadcaster’s qualifying annual revenue. The most recent case reported by Ofcom for breach of the fairness rule was a case involving Press TV Limited, who were fined £100,000 on 1 December 2011.

 

Revised cookies’ law and lack of guidance takes the biscuit

Les Cookies © Jonathan Kowalski

I was asked a couple of days ago to prepare an email alert for clients on a commercial law update circulation list to describe compliance steps required for the new cookies law. This turns out to be virtually impossible. Much as it pained me, the advice really comes down to the cliché lawyers’ answer of, “It depends”.

Together with my colleague Mark Alsop, we finally went with this:

When we issue email alerts on an imminent change in law that is likely to have a wide impact on normal business activities, we seek to give clear guidance on what steps must be taken for compliance with the new law.

Regrettably, this is rather difficult to do for the new law on the use of cookies, which comes into effect on 26 May 2011.

A cookie is a small file of letters and numbers placed by a website onto a user’s computer when he or she accesses the website.  They allow a website to recognise a user’s computer and to adjust the user’s experience of the website accordingly – cookies can be used for authentication, storing preferences, managing shopping baskets, tracking web-browsing and many other things.  A website may place several cookies onto a user’s computer.

The current law requires users to be given information about the use of cookies, which information must include details on how the user can opt out of cookies’ use – this is contained in the Privacy and Electronic Communications (EC Directive) Regulations 2003.  As their name implies, the Regulations implement a European Union Directive (Directive 2002/58/EC).  Compliance has usually involved no more than including a statement in website terms and conditions or privacy policy on the use of cookies.  The law applies not just to cookies, but also to alternatives that perform similar functions, such as tracking by IP address, hidden form fields and flash cookies – all covered by the word “cookies” for the purposes of this note.

This Directive has been amended so that, as well as giving users information on exercising an opt out, usually by changing their browser settings to reject any cookies, no cookies can now be used lawfully unless the user has given his or her consent to their use.

The change is practically difficult to implement without spoiling the user’s browsing experience.  It had been thought (hoped) that having browser settings which permit cookies would amount to consent, but this has been rejected as a means of obtaining consent.

The UK Government did consult on appropriate amendments to the UK Regulations to make them easier to comply with, but that came to nothing when the Ministry of Justice announced that in future all Regulations implementing EU legislation will simply faithfully reproduce the revised EU Directive wording.

The Information Commissioner’s Office (ICO) has recently published guidance on the new cookie law (click here), but this does not give any definitive, practical assistance in compliance.  Instead, it recognises that the new law is difficult to implement.  It merely advises that companies review their use of cookies and consider how they may be able to obtain the consent called for by the new regulation.

We can therefore only repeat the ICO advice.  Audit your use of cookies and consider how intrusive your use of the cookies is.  Then see how best you can get (and record) users’ consent.  The guide suggests methods involving features such as pop ups, terms and conditions and settings, i.e. instances asking users for consent at the same time as they anyway have to make choices in relation to the website.   These methods will of course not always be available.  The guidance does acknowledge that it will be particularly challenging to obtain consent in relation to “third party cookies” (which allow third parties to set cookies on a user’s computer).

There are reports that the Government is working with browser suppliers to bring in browsers that can give compliant consent.  This will be a big step forward, but as the guidance points out, there will remain the problem of users who do not upgrade to such browsers.

Two final observations.  First, the ICO expects websites to deal with the more intrusive cookies first.  Second, in terms of enforcement, the guidance acknowledges that there is no prospect of full compliance by 26th May, i.e. less than 3 weeks after the guidance was issued.  Instead, the ICO indicates that, for the time being, it is concerned to ensure that website owners have a realistic plan to achieve compliance.

The ICO states that further guidance will be issued “if appropriate, in future”.

DoJ, Wikileaks and Twitter: Stones and Glasshouses

WL Helping HandThere seems to be a degree of outrage on many social media channels about the Department of Justice in the United States obtaining a court order to require the US-based social media platform Twitter, and possible Facebook and Google as well, to reveal account information about certain users who are alleged to be involved with Wikileaks. There should be no doubt amongst UK social media commentators or users that the law in the UK is more generous to government authorities than anything in the US.

US Law

The court order against Twitter was made under 18 USC §2703(d), which is an order made on application to a magistrate judge (and not a subpoena, as is being widely reported). These orders can only be granted where it is shown by the applicant government entity that there are reasonable grounds for believing that the information it will obtain from the respondent communications providers will be relevant and material to an ongoing criminal investigation. Whilst we are not experts in US law, we believe that orders under 18 USC §2703(d) enable the government entity making the application to obtain what we in the UK would call the communications data (see below) for a particular account from a respondent communications provider and details about the subscriber or customer for that account. The contents of any communication can only be demanded if they are over 180 days old, otherwise another criminal evidence procedure is required. As far as we are aware, in the US there is no federal statutory obligation on communications providers to retain communications data, but 18 USC §2703(f) does provide for data preservation orders.

UK Law

This post explains the relevant UK law, which shows that not only can similar communications data to the Twitter account information sought by the Department of Justice be obtained by government entities in the UK from UK communications providers, but that information can be demanded for much broader purposes than in connection with an ongoing criminal investigation. 

In the Regulation of Investigatory Powers Act 2000 (“RIPA”), “communications data” is defined as being (section 21(4) of RIPA):

(a)  any traffic data comprised in or attached to a communication (whether by the sender or otherwise) for the purposes of any postal service or telecommunication system by means of which it is being or may be transmitted;

(b)  any information which includes none of the contents of a communication (apart from any information falling within paragraph (a)) and is about the use made by any person—

(i)  of any postal service or telecommunications service; or

(ii)  in connection with the provision to or use by any person of any telecommunications service, of any part of a telecommunication system;

(c)  any information not falling within paragraph (a) or (b) that is held or obtained, in relation to persons to whom he provides the service, by a person providing a postal service or telecommunications service.

Whilst it is unclear to what extent communications data under RIPA includes web page or other internet usage data, the definition of traffic data was carefully drafted to exclude web page information (rider at s.21(6)).

Whilst communications providers had no standing obligation to retain data under RIPA, a designated person (as defined in sections 25(1) and (2)) may require any telecommunications operator of a telecommunications system that is “in possession of, or be capable of obtaining, any communications data” to obtain that data, if not already in the operator’s possession, and disclose it (section 22(4)).  However, the grounds under RIPA upon which communications data can be ordered to be obtained are the most extensive in any UK legislation.  They include, for example, matters such as “for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department” (section 22(2)(f)).  The original purposes have also been extended by the Regulation of Investigatory Powers (Communications Data) (Additional Functions and Amendment) Order 2006 (all these purposes together being the “RIPA Purposes”).

The scope of these RIPA Purposes was addressed in the Home Office Acquisition and Disclosure of Communications Code of Practice, which came into effect on 1 October 2007 (the “RIPA Code”). The RIPA Code seeks to emphasis that any action by a designated person or a person authorised by them is “necessary and proportionate” (see paragraphs 2.1, 3.5, 3.7, 3.31 and 3.48). However, it does not contain much in the way of guidance on how a designated person is to assess what is “necessary and proportionate”.

Any notice given by the delegated person to a communications provider is only valid for a maximum of one month (section 23(4)), but it would appear that under RIPA the acquisition period for the relevant communications data which is the subject of the notice, can be unlimited.  The RIPA Code states that any notice must give the start date and end date for the acquisition of data, but with limits on future end dates, so that where a notice relates to the acquisition of communications data that will or may be generated in the future, the future period is restricted to no more than one month from the notice date (paragraph 3.44).

In practice government entities in the UK do not have to consider seeking an order under section 22 of RIPA to preserve communications data, as the UK has for a number of years implemented a data retention regime.  Communications providers in the UK are required to retain communications data under the Data Retention (EC Directive) Regulations 2009 (the “Data Retention Regulations”), which implement Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 (the “Data Retention Directive”) on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks. The Regulations do not set out the purposes for data retention, but it is stated in the Data Retention Directive that the intention is to “ensure that the data is available for the purposes of the investigation, detection and prosecution of serious crime” (Art.1(1))(the “Data Retention Directive Purposes”)(emphasis added).

In the Data Retention Regulations “communications data” is defined as being “traffic data and location data and related data necessary to identify the subscriber or user”.  Traffic data means “data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing in respect of that communication and includes data relating to the routing, duration or time of a communication”(Regulation 2).  This definition is slightly different from that set out at section 21(4) of RIPA)(see above); the most clear differences are that in RIPA location data is expressly included and defined (at sections 21(6) and (7)), and the more broad definition of traffic data.  In particular, the definition of traffic data in the Data Retention Regulations does not exclude from the definition of traffic data, data to the level of web page information.

Under the Data Retention Regulations public communications providers are required to retain the communications data set out in Regulation 4 and the Schedule.  This is generally data necessary to: (a) to trace and identify the source of a communication; (b) to identify the destination of a communication; (c) to identify the date, time and duration of a communication; (d) to identify the type of communication; or (e) to identify users’ communication equipment (or what purports to be their equipment).  The retention period for all communications data retained under is twelve (12) months (Regulation 5).  The Data Retention Regulations do not include an access regime for any retained communications data, but merely state that access may only be obtained only in specific cases and as permitted or required by law (Regulation 7).

Other Relevant Legislation

Data Protection Act 1998

The Data Protection Act 1998 (“DPA”) fifth data protection principle (at paragraph 5 of Part I of Schedule 1) provides that personal data shall not be retained than is necessary for the specified and lawful purpose(s) of the data controller.  Consequently, communications providers ought to state in any fair processing notice made available to their customers that communications data is being retained as required by the Regulations and may be disclosed to public authorities permitted to access the communications data under RIPA, even though most of this processing will be subject from the subject information provisions (as defined at section 27(2) of the DPA) under an exemption in Part IV of the DPA (section 28 (National security) and section 29 (Crime and taxation) being the most obvious).

Communications providers will be relying, in most cases, on the lawful purpose set out in paragraph 5 of Schedule 2 of the DPA (processing necessary for the administration of justice, to carry out statutory functions or functions of the Crown, a Minister of the Crown or a government department or for “the exercise of any other functions of a public nature exercised in the public interest by any person”), or, where the communications data contains sensitive personal data, on the purposes set out at paragraph 7 of Schedule 3 of the DPA (as paragraph 5 of Schedule 2, except without the ‘functions of a public nature exercised in the public interest’ purpose).

Human Rights Act 1998

Article 8(2) of the European Convention of Human Rights (the “Convention”), incorporated into UK law by the Human Rights Act 1998 (“HRA”), provides that “there shall be no interference by a public authority with the exercise of this [Article 8 privacy] right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.” (the “Art 8(2) Purposes”).

The principle of retention of communications data for the Data Retention Directive Purposes, which are narrower than the Art 8(2) Purposes, is therefore lawful under the Convention and the HRA. What is open to question is the lawfulness of any of the Data Retention Regulations’ retention periods and the interference with data subjects’ rights to privacy where retention (and access) is carried out for RIPA Purposes that go beyond those set out at Article 8(2).

[We found the post “Thoughts on the DOJ wikileaks/twitter court order” by Christopher Soghoian on his slight paranoia blog interesting – and useful to confirm our understanding of 18 USC § 2703.]

The Daily Mail, Dorries and Data Protection

Community Trade Mark E7490592

Our last two posts addressed the position of Nadine Dorries MP under the Data Protection Act 1998 (the “DPA”) in respect of sensitive personal data concerning her partner’s wife posted on the MP’s website in her Personal Statement to the Press (here and here).

It appears that the Personal Statement to the Press may have been made in anticipation of a story being published in the Daily Mail the following day on the MP’s new relationship. In that story the same sensitive personal data was published, raising the question of whether the Daily Mail was itself potentially in breach of the DPA.

There is one material difference between the two cases. The Daily Mail, being a news organisation, can rely on the exemption at section 32 of the DPA. This applies where the processing of personal data, including the publication of it, is done for the special purposes of journalism, literature or art.  It is not a complete exemption from the provisions of the DPA, but it does permit a journalism organisation which “reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest” to breach a data protection principle (section 32(1)(b)) to breach a data protection principle where it “reasonably believes that, in all circumstances, compliance [with the data protection principle] is incompatible [for the purposes of journalism]” (section 32(1)(c)).

Publication, it is clear, includes making the journalistic material available to the public or any section of the public by any media (from section 32(6)).

A subject of any journalistic material retains their right to bring an action for compensation, including damages for distress (section 13(2)(b)), which means that any newspaper wishing to publish must weigh up the risk of being sued under the DPA and a court finding that newspaper could not have had a reasonable belief that the publication was in the public interest.  There are extremely few cases on this point, but perhaps the most notable is the Naomi Campbell case.  She brought a case against the Mirror as a result of pictures being published of her leaving a Narcotics Anonymous meeting.  The data protection aspect of the case was thoroughly described by the Master of the Rolls, Lord Phillips, when the case was appealed to the Court of Appeal (Naomi Campbell v Mirror Group Newspapers [2002] EWCA Civ 1373, subsequently appealed to the House of Lords [2004] UKHL 22).  At the Court of Appeal it was determined that the publication was in the public interest so that the section 32 exemption applied.  In the House of Lords the case was determined upon the basis of the balance of rights under the Human Rights Act 1998 rather than expressly dealing with the DPA, but this can be implied from section 32(1)(b) as being the balance between the right to freedom of expression and the right to privacy.

So in deciding whether the Daily Mail has breached the DPA, you have to consider, as a court would, whether there were grounds for a reasonable belief that publication of information on her partner’s wife was in the public interest.