Clinical Commissioning Groups’ Sale of Patient Data

Arguably the most significant reform of the Health and Social Care Act 2012  is the introduction of a National Health Service Commissioning Board, which will supervise local primary care clinical commissioning groups. These clinical commissioning groups will replace primary healthcare trusts. Primary healthcare providers, particularly GPs, were always the gatekeepers to the National Health Service, but under the 2012 reforms, they will also be the principal budget holders under these clinical commissioning groups, buying secondary care in a quasi-competitive open market.

Under ss14X and 14Y of the National Health Service Act 2006, following wholesale amendment to that 2006 Act by the Health and Social Care Act 2012, clinical commissioning groups will have separate statutory duties to promote innovation and research. The groups also have a duty to carry out their functions effectively, efficiently and economically (s14Q).

To assist clinical commissioning groups in their extensive duties set out in Part 2 of the 2006 Act, they will have the power to raise income (a new power under s14Z5 of the 2006 Act), by doing anything the Secretary of State can do under ss7(2)(a), (b) and (e) to (h) of the Health and Medicines Act 1998, either alone or with other groups. In particular, s7(2)(f) will permit the groups “to develop and exploit ideas and exploit intellectual property.”

Whilst it may therefore be a stretch to argue that clinical commissioning groups have a duty to exploit the value there may be in patient data, it is clear that to exploit patient data is well within their duties and powers under the 2006 Act. In addition, disclosure of information “made for the purpose of facilitating the exercise of any of the clinical commissioning group’s functions” is explicitly permitted by the 2006 Act (s14Z23(1)(f)).

This only leaves the Data Protection Act 1998 to consider. Could clinical commissioning groups sell patient data under the Data Protection Act 1998, with or without the consent of patients themselves?

This is an interesting question. One answer is that it would be possible. In order to process patient data, the groups would have to meet one of the conditions for processing sensitive personal data (as defined in the Data Protection Act 1998).

It is arguable that there is the statutory basis for selling the data, being to comply with commissioning groups’ statutory duties to promote innovation and research, and to raise income in order to exercise their statutory duties effectively, efficiently and economically. As there is a statutory basis, the selling of patient date could be argued to be “necessary for the exercise of functions conferred by or under statute” – which is one of the conditions for which the processing of sensitive personal data is permitted under the Data Protection Act 1998 (paragraph 7(1)(b) of Schedule 3 of the Data Protection Act 1998). This does not require patients’ consent.

In addition, processing for research purposes is itself a permitted purpose under the Data Protection Act 1998 (paragraph 10 of Schedule 3 of the Data Protection Act 1998, and paragraph 9 of the Schedule to the Data Protection (Processing of Sensitive Personal Data) Order 2000, SI 2000/417); again without patient consent.

Lastly, there is always the ‘medical purposes’ condition of paragraph 8 of Schedule 3 to the Data Protection Act 1998:

8 (1) The processing is necessary for medical purposes and is undertaken by—

(a) a health professional, or

(b) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.

(2) In this paragraph “medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.

Patients’ consent may not strictly be required by law, but under the first (and second) data protection principle, patients will have to be made aware by clinical commissioning groups that their data, in whatever form, for medical research purposes. Patients could try to exercise a stop notice right under s10 of the Data Protection Act 1998, but ‘good luck with that’ is the phrase that immediately springs to mind.

Although it may be lawful for commissioning groups to sell patient data, it may be that best practice will lead to any sale being restricted to Barnardised or anonymised patient data. This may be clarified by the NHS Commissioning Board, which has a responsibility to issue guidance on the processing of patient information under s13S of the 2006 Act, following the abolition of the National Information Governance Board for Health and Social Care in the 2012 Act. ‘Patient information’ in this context is a new term defined at s20A of the Health and Social Care Act 2008, and is broader than a patient’s personal data, as defined under the Data Protection Act 1998, to include any information about a person’s health, diagnosis or care or data derived from that information, whether that information or data identifies an individual or not.

So, a case can be made for saying that commercialisation of patient data may well be a consequence of the Health and Social Care Act 2012. Whether this consequence was unintended or was anticipated is for others to answer.

The Browns’ damage or distress

Paper files of medical records

Paper files of medical records

What would you do if you were approached by a newspaper that wished to publish an article about your child’s illness?  Assuming you do not have the resources to instruct lawyers specialising in privacy and data protection to consider obtaining an injunction, you could look at a little-known and rarely-exercised right in the Data Protection Act 1998.

Section 10(1) & (2) of the Data Protection Act 1998 states:

10  Right to prevent processing likely to cause damage or distress.

(1) Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons—

(a) the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and

(b) that damage or distress is or would be unwarranted.

(2) Subsection (1) does not apply—

(a) in a case where any of the conditions in paragraphs 1 to 4 of Schedule 2 is met, or

(b) in such other cases as may be prescribed by the Secretary of State by order.

In the scenario being dealt with here, none of the conditions in subsection (2) apply.  As this right is rarely exercised, even less made the subject of any court proceedings, there is no judicial interpretation of what is required to meet the “substantial” level or where the line may be drawn between warranted and “unwarranted” for section 10.  However, it is a cost-free approach to issue a section 10 notice.  As this is a fundamental right under the Act, any recipient data controller ignoring it risks court action, or more likely, enforcement action by the Information Commissioner following a complaint by a person issuing the notice that their rights were ignored.

Although the Information Commissioner’s guidance on when he would be minded to issue a monetary penalty is not completely clear on this point, it is at least arguable that any denial of a section 10 right would be a severe breach of the Data Protection Act.  As a severe breach, it could be the subject of a monetary penalty notice, which can include a fine of up to £500,000.  The risk of being subject to a £500,000 fine, as well as the reputational fall out for a newspaper, might be enough to make a publisher think twice.

There is also the question of the lawfulness of the newspaper publishing the story concerning an individual’s medical condition.  In short, the publication is not covered by any of the lawful purposes for which medical data (included in the definition of “sensitive personal data” in the Act) may be processed. The only conceivable lawful purpose is contained in a statutory instrument, the Data Protection (Processing of Sensitive Personal Data) Order 2000. In particular, paragraph 3 of the Schedule to the Order states:

3.  The disclosure of personal data –

(a) is in the substantial public interest;

(b) is in connection with –

(i) the commission by any person of any unlawful act (whether alleged or established),

(ii) dishonesty, malpractice, or other seriously improper conduct by, or the unfitness or incompetence of, any person (whether alleged or established), or

(iii) mismanagement in the administration of, or failures in services provided by, any body or association (whether alleged or established);

(c) is for the special purposes as defined in section 3 of the Act; and

(d) is made with a view to the publication of those data by any person and the data controller reasonably believes that such publication would be in the public interest.

It is difficult to make a convincing case that knowledge of a child’s medical condition is in the substantial public interest for paragraph 3(a). Only the case of Leo Blair and MMR comes to mind as a possible example.  That, however, leaves the other conditions in paragraph 3 unfilled for this to be a lawful purpose.

However, newspapers can seek to apply the exemption at section 32 of the Act for journalism, literature or art.  The newspaper would have to be clear that publication was in the public interest (section 32(3)) and within the scope of the Press  Complaints Code (a designated code for the purposes of section 32 under the Data Protection (Designated Codes of Practice) Order 2000 – it is an anomaly that the sensitive personal data Order described above imposes a “substantial public interest” test in connection with journalism (the “special purpose” in paragraph 3(c)), whereas section 32 does not).  Note paragraph 6(v) of the current edition of the PCC Code to Editors, and point 5 of the note on the public interest test to be applied in matters concerning children:

v)  Editors must not use the fame, notoriety or position of a parent or guardian as sole justification for publishing details of a child’s private life.

5.  In cases involving children under 16, editors must demonstrate an exceptional public interest to over-ride the normally paramount interest of the child.

Clearly, the section 32 exemption must be one being relied upon by News International in connection with the publication of Fraser Brown’s medical condition.  It is disappointing, but perhaps not surprising in the circumstances of the relationship between No 10 and News International in 2006, that no complaint was made about the Fraser Brown report that would have given the Information Commissioner’s Office or a court a chance to describe the limits of section 32, or to resolve the conflicting public interest tests in section 32 and the sensitive personal data Order.

If you consider that section 32 gives newspapers too much leeway, then note that the exemption does not cover section 13 of the Act.  In particular, section 13(2)(b) provides, in effect, that “an individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if… the contravention relates to the processing of personal data for the [purposes of journalism]”. It would therefore be the case that if the Information Commissioner, as a result of a complaint, or a court ruled that the newspaper had not published (sensitive) personal data in the public interest, then the individual concerned could sue the newspaper for distress. This would be in addition to any monetary penalty imposed by the Information Commissioner for the contravention.

To date only Naomi Campbell has obtained such distress damages (Campbell v Mirror Group Newspapers [2002] EWHC 499 (QB), subsequently upheld by the House of Lords [2004] UKHL 22). Although not clearly identified as such, it would seem that these damages amounted to a modest £1,000, out of a total award of £3,500 damages under section 13 of the Act and for breach of confidentiality. The low level of these damages has itself probably deterred section 13 actions against newspapers.

Nadine Dorries Press Statement: enforcement and remedy

ICO Data protection cases received and closed (source ICO)

In our previous post we reviewed in the context of yesterday’s personal statement to the press by Nadine Dorries MP, whether the publication of a person’s medical condition on a website could be unlawful under the Data Protection Act 1998 (the “DPA”). If our view that there has been a breach of the DPA is supported, what are the potential consequences for Nadine Dorries MP and what remedies are available to her partner’s wife (“W”), under the DPA?

Firstly, breach of a data protection principle is not of itself a criminal offence. Nothing Nadine Dorries has done appears to be within the scope of any of the criminal offences under the DPA. The disclosures she made in her blog are even within the scope of her notification properly made to the Information Commissioner’s Office (“notification” is the accurate term for the registration of a data controller’s processing purposes required under section 17 of the DPA). So any enforcement action taken by the Information Commissioner against the MP will not include prosecution at this stage.

Nadine Dorries could still be prosecuted if she fails to comply with an enforcement notice made by the Information Commissioner, but as the nature of any enforcement notice would be an order by the Information Commissioner not to breach the relevant data protection principle again, this is unlikely. However, the current practice of the Information Commissioner’s Office is to seek undertakings from breaching data controllers that they will remedy the breach and will behave lawfully in future. Whilst enforcement by enforcement notice is described in Part V of the DPA, this practice of undertakings is non-statutory. It appears that this use of undertakings makes criminal prosecution even more unlikely, as a breach of an undertaking would then lead to an enforcement notice, not directly to a prosecution.

However, the Information Commissioner does have the ability to impose monetary penalties of up to £500,000 for serious breaches of the DPA. All the elements that give the Information Commissioner the power under the DPA to impose a monetary penalties may be present in the Nadine Dorries case: there is a deliberate breach of the first data protection principle in circumstances that would cause W distress. The question is therefore whether the breach is “serious” or the distress “substantial” for the purposes of section 55A(1) of the DPA. As required by section 55C of the DPA, the Information Commissioner has published guidance on how it would determine whether a breach warrants action under section 55A (or 55B), but this does not give sufficient assistance to be able to conclude that Nadine Dorries would be given a notice of intent to impose a monetary penalty, were the Information Commissioner to investigate this case. However, the guidance does suggest that breaches that involve medical data and distress as a result of wrongful processing of medical data are more likely to be in the serious/substantial camp.

So if the Information Commissioner takes no action, what direct remedy does W have under the DPA? It is recognised by privacy advocates that the DPA provides limited remedies to individuals. The only remedy they have for past breaches, which requires court action, is a right to compensation for damage under section 13 of the DPA. In almost all cases, this must be actual damage (i.e. recovery of costs, losses or expenses suffered or incurred as a result of the DPA breach) rather than distress. Damages for distress alone are only possible in a limited set of circumstances, which do not apply to this Nadine Dorries case unless it can be argued that the issue of a personal press statement was for the “purposes of journalism” (section 3(1) of the DPA). There is no case law on what this phrase means.  In addition, there is no recital in the Data Protection Directive 95/46/EC that gives any assistance on what this provision was intended to cover.  Therefore in our opinion it would be a brave claimant that would try to obtain damages for distress under the DPA by claiming that the issue of a statement on a blog was caught by what the DPA calls this “special purpose”.

This leads to the uncomfortable conclusion that W may have no direct DPA remedy herself, and must rely on the Information Commissioner to take action to give her some redress for the distress she may have suffered as a result of details of her alcoholism being published in breach of the DPA.  However, the development of a right to privacy under cases such as Max Mosely v News of the World [2008] EWHC 1777 (QB) or Naomi Campbell v Mirror Group Newspapers [2004] UKHL 22 show that a privacy remedy made be available as a result of judicial intervention where no statutory remedy under the DPA is provided.

Domestic purposes abuse?

Nadine Dorries MP (©

Today, Nadine Dorries MP issued on her blog a personal statement to the press. In the statement she describes how she has embarked upon a romantic relationship with an old family friend. However, the statement also includes personal statements from her new partner and her partner’s daughter. From these secondary statements the wife of the partner can be identified, and she is stated to be a long-term alcoholic and a domestic abuser.

You will note that we have not named the partner, his wife or his daughter. To do so would mean that we would be processing personal data, including sensitive personal data, about these individuals. For the reasons set out in this post, we consider that such processing, being done without the explicit consent of the wife of the partner, would be unlawful under Data Protection Act 1998 (the “DPA”).

The first question that needs to be answered in connection with the press statement is whether the DPA applies at all. Whilst the DPA would apply to our use of the partner’s family personal data, there is a question as to whether the disclosure of this information on Nadine Dorries’ blog is within the scope of the DPA. This is because section 36 of the DPA exempts processing for domestic purposes by an individual. There is no UK case law to assist in determining where the boundary lies for this domestic purposes exemption, but there can be little doubt that if the courts were asked to consider these circumstances, they would be bound by the Court of Justice of the European Union decision in Case 101/01 Bodil Lindqvist.  We would expect a UK court to apply the Bodil Lindqvist decision to find that the publication by an MP of personal data of third parties on the internet was not covered by the section 36 exemption.  Section 36 is clearly the implementation in the UK of the second limb of Article 3(2) of the Data Protection Directive 95/46/EC. The Bodil Lindqvist case facts are very similar to this Nadine Dorries case; both cases involve the publication of personal data, including sensitive personal data, on the internet in circumstances where a non-commercial, private purpose was or could be claimed. The Court of Justice was particularly influenced by Recital (12) of the Directive to decide that internet publication could not be considered to be domestic processing within the exemption at Article 3(2):

(12) Whereas the protection principles must apply to all processing of personal data by any person whose activities are governed by Community law; whereas there should be excluded the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses;

The next question, having decided that the DPA applies, is whether there has been any breach of the DPA by disclosing the personal statements. To comply with the First Data Protection Principle under the DPA, a data controller (in essence, the owner of the data or the one who decides what to do with it) must process the data in accordance with one of the appropriate conditions set out in two schedules to the DPA: Schedule 2 for “ordinary” personal data or Schedule 3 for sensitive personal data. For the purposes of this post, “ordinary” personal data is data which identifies an individual and which is not sensitive personal data. Sensitive personal data is defined in section 2 of the DPA as:

In this Act “sensitive personal data” means personal data consisting of information as to—

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Even taking the most favourable interpretation of this definition to the information disclosed about the partner’s wife, it is clear that information about her alcoholism (physical or mental health or condition) is sensitive personal data. There does not appear to be any legitimate purpose under Schedule 3 that would permit the disclosure of this information without the explicit consent of the partner’s wife. It therefore appears that the disclosure is unlawful.

Having decided that the publication of a third party’s medical condition, if it is without explicit consent, is unlawful, raises the question of the consequences. We will deal with this in our next post.