New Data Sharing Laws: Too Far, Too Fast?

According a story in the Guardian newspaper last week, proposals to be published in May by the Cabinet Office minister, Francis Maude, are expected to make it easier for government and public-sector organisations to share confidential information supplied by the public.

“In May, we will publish proposals that will make data sharing easier – and, in particular, we will revisit the recommendations of the Walport-Thomas Review that would make it easier for legitimate requests for data sharing to be agreed with a view to considering their implementation,” said Maude, adding that current barriers between databases made it difficult for public sector workers to access relevant information.

“It’s clearly wrong to have social workers, doctors, dentists, Job Centres, the police all working in isolation on the same problems.”

The Guardian reported that the proposals are expected to include fast-track procedures for ministers to license the sharing of data in areas where it is currently prohibited, subject to privacy safeguards.

Maude has hit back at the reporting of the proposals. Whilst the detail is awaited, one has to wonder whether this is the right time to consider such measures. The recent announcement of a new law to require Internet firms to give intelligence agency, GCHQ, access to everyone’s communications data on demand and in real time as well as the ongoing controversy about the failure to regulate press intrusion has already raised concerns about the Government’s commitment to “roll back the surveillance state”.

Civil liberties campaigners are already saying that the new plans are further evidence of the revival of “The Database State” proposed by New Labour. In a recent article the Campaign Group, NO2ID, argued that the Government should establish clear guidelines on people’s rights to privacy to put a brake on official bodies sharing data.

This is not the first time that concerns have been raised about data sharing. In July 2008 “The Data Sharing Review Report” was written by the then Information Commissioner, Richard Thomas, and Wellcome Trust director, Mark Walport. In it they warned:

“The tenor of the government’s argument has focused closely on the benefits of data sharing, paying perhaps too little attention to the potential hazards associated with ambitious programmes of data sharing,” stated the report. “The government has consistently laid itself open to the criticism that it considers ‘data sharing’ in itself an unconditional good, and that it will go to considerable lengths to encourage data-sharing programmes, while paying insufficient heed to the corresponding risks or to people’s legitimate concerns.”

Is the current law not adequate to regulate yet allow responsible data sharing? The Data Protection Act 1998 (DPA) already governs all processing of personal data including the sharing of it. Whilst it is still conceived as a barrier, if properly understood, it can be a tool for responsible data sharing. Most public sector data sharing will be lawful if organisations comply with the Eight Data Protection Principles; particularly the First Principle which requires information to be processed fairly and lawfully. There are also numerous exemptions in the Act including where sharing is required for the purpose of prevention or detection of crime (section 29).

In May 2011, the Information Commissioner published a new statutory Code of Practice on data sharing. The Code explains how the DPA applies to the sharing of personal data both within and outside an organisation. It provides practical advice to the public, private and third sectors, and covers systematic data sharing arrangements as well as one off requests for information.

So is there really a need for a new law on data sharing? The Information Commissioner’s Office has issued a short statement on the proposals. Reading between the lines, it seems to be saying that the current law and the ICO Code are adequate. What do think?

Read our article for a full explanation of the ICO Data Sharing Code.

You can attend our full day Multi Agency Information Sharing workshops

We also have a one-hour online seminar on this subject.

Please call re ICO conference.

Working around the UK us Act Now speakers sometimes get messages or emails from the office staff.  If we can we pick these up and follow them up at lunchtime, coffee breaks etc.

Last week I received once such message and it looked promising. (See title of post). The ICO want to talk to me about his conference…    is it the invitation I’ve been waiting for to address 500 colleagues on the Data Protection joke book from A to B?  Is it an opportunity to run a workshop or maybe they want us to advise them on something.

My flying fingers could scarcely contain a feverish frisson of excitement as I dialed the digits.

It wasn’t the ICO. It was a company who to be truthful did identify themselves but did it so quickly that I missed it (but I have their number). Some gentle introductory questions about why we attended blah blah blah then they got to the main course. Who do we speak to in your company about encryption solutions? Head of Procurement? IT director?

I asked the obvious question and was told that they obtained my name and corporate details from the documentation given out at the recent DPO conference in Manchester. And to the obvious follow up question – yes they were ringing delegates to offer them Encryption solutions.

I ended the call using a well know technique and started wondering.  I wasn’t happy but had they breached any laws or regulations? DPA? Was it personal data? If it’s not personal then all the principle 6 rights disappear. Was it marketing?  A section 11 issue? That again specifies personal data.

Aha. They used the telephone. Isn’t that covered by PECR? And PECR is about subscribers not individuals. If we were registered with corporate TPS they’d be committing an offence wouldn’t they? Wouldn’t they?

What about the ICO? Should they have issued a list of delegates to all delegates? Was it not personal data but became personal data once it was worked on by another data controller? What schedule 2 condition applies to data collected at a conference and manipulated by the user to be used for marketing and selling.

I remember in the days when I spoke at conferences and the organisers would invite me to speak and they also invite me to email their flyer to all my colleagues in the sector. In those days it was routine to list email addresses of delegates in the conference documentation. Things have changed but dodgy practice still exists.

Did anyone else get this call? Were any offences committed?

Access to Social Work Records of the Deceased

Local authorities often receive Freedom of Information Act (FOI) requests for access to the social work records of the deceased. These usually come from family members, sometimes to assist them with a dispute or a legal claim. When making a decision about disclosure, Social Services staff are required to assess the privacy of the living as well as the dead.

Sometimes the exemption under section 41 of FOI (Breach of Confidence) can be used to refuse access to information about the deceased. This applies where a disclosure of confidential information, obtained from another party, would lead to an actionable Breach of Confidence. The leading Information Tribunal case (as it was called then) on this issue (Bluck v Information Commissioner and Epson and St. Helier University Hospitals NHS Trust EA/2006/0090) concerned the disclosure of medical records to the deceased’s mother without the consent of the deceased’s husband.  The Trust’s decision to deny access, based on section 41, was upheld by the Commissioner and the Tribunal.  Both ruled that the duty of confidentiality extends beyond death. If the information was disclosed there was, in theory at least, an actionable Breach of Confidence, which would allow the personal representative of the deceased (her husband) to sue the Trust.

This case was followed by the Information Commissioner in a Decision Notice involving Trafford Metropolitan Borough Council (FS50153179 27/11/2007.)
The complainant asked to see information about her deceased mother which was contained in her mother’s social services records. The Council refused to disclose the information claiming a number of exemptions.

The Commissioner ruled that in respect of the information about and which identified the deceased’s primary carer, the Council was correct to claim the section 40 exemption (personal data). The information included references to the carer’s personal circumstances, her health and financial arrangements. The sensitive nature of the information and the fact that the carer had objected to the release of similar information held by another public authority meant that the disclosure, without consent, would be unfair.

Most of the rest of the requested information was about the deceased. The Commissioner ruled that the section 41 exemption could be claimed. Cleary this information was obtained from another party (i.e. GPs, the primary carer, the deceased etc.) but was it confidential? The Council explained that individuals enter into social services care arrangements with the expectation that the information they provide (both directly and indirectly) will only be used in connection with the provision of that care and will not otherwise be disclosed to third parties without their consent (except in very limited circumstances). The Commissioner accepted that this expectation of confidence is the cornerstone of the Council’s relationships with its clients and is vital for successful service provision. The Commissioner also accepted that the threat of onward disclosure of such information could inhibit the relationship between it and its clients, in that concerns that private information may subsequently be open to public scrutiny may cause clients to be unwilling or to refuse to disclose important information.

On the other elements of the section 41 exemption, the Commissioner relied on the Tribunal decision in Bluck (see above) to rule that the duty of confidence survived the death of the deceased and disclosure of the information would be an actionable breach of confidence. The personal representative of the deceased (the carer) had a theoretical right to sue the council.

Sometimes information being requested about the deceased includes health records which may be accessible under the Access to Health Records Act 1990 .  In such cases the exemption under section 21 of FOI may be claimed i.e. it is reasonably accessible by other means. Section 3 of the 1990 Act gives, amongst others, the personal representatives of the deceased, a right to access the health records of the deceased. Exceptions exist under section 4, e.g. where the patient had requested a note be made that they did not wish access to be given, and section 5.

Before applying the section 21 exemption, a public authority must carefully consider if the applicant indeed has a right of access under the 1990 Act as it only applies in limited circumstances. Firstly, If the requestor is not a personal representative of the deceased (or, to be technically correct, a person having a claim arising out of the death of the deceased) then they cannot access the information under the 1990 Act. Secondly the records being requested, must be health records within the meaning of the Act. A recent Tribunal decision sheds more light on these points.

In Martyres v ICO and NHS Cambridgeshire, EA/2011/020, the requestor sought all information held by NHS Cambridgeshire (and its relevant community services provider), in respect of her deceased mother including information about the care received by her mother at a care home she was staying at prior to her death. The requestor argued that she was the next of kin, proposed executor and trustee of one of the wills and had a valid claim against her mother’s estate under the intestacy rules.

Before the Tribunal, the requestor argued that the Commissioner had erred in concluding that the disputed information was exempt under section 41, as no actionable Breach of Confidence would arise from the disclosure of the information. The Tribunal gave short shrift to this argument and this is not surprising given previous cases discussed above. Strangely it concluded that the confidence was owed to the social workers! I would have thought that it was more owed to the deceased. After all, it was information about her care and the social workers were acting in a professional capacity.

The requestor also contended that the Commissioner should have found that the exemption under section 21 was engaged on the basis that “as next of kin and nearest relative” she would have been entitled to obtain the disputed information under the 1990 Act. The Tribunal disagreed. Whilst she was the nearest relative, she was not the personal representative and so had no rights under the 1990 Act. Furthermore the records being sought were not covered by the 1990 Act as they were not health records. Section 1 of the 1990 Act states that a “health record” is defined as a record which:

“consists of information relating to the physical or mental health of an individual who can be identified from that information, or from that and other information in the possession of the holder of the record; and has been made by or on behalf of a health professional in connection with the care of that individual” (my emphasis)

“Health professional” under the 1990 Act has the same meaning as in the Data Protection Act 1998 (DPA). The Tribunal found that social care professionals do not fall within the list of health professionals under Section 69 of the DPA.

The Trust confirmed that the information held had not been prepared by or on behalf of a healthcare professional. Therefore the Tribunal found that the requestor would not have been able to obtain the disputed information from the Trust under the 1990 Act and that the Commissioner was correct to conclude that the disputed information was not reasonably accessible by other means resulting in the fact that the section 21 exemptions would not be engaged.

This case shows the importance of local authorities and NHS organisations checking to see what is being requested (i.e. a health record or a social work record) and checking that the requestor has a right of access under the 1990 Act. If the answer to either question is in the negative then the request has to be considered in the light of section 41 (Breach of Confidence) i.e. the question has to be asked, would disclosure of the social work records lead to an actionable breach of confidence?

For more on access to information about the deceased read Ibrahim Hasan’s full article here

ISEB Certificate In Freedom of Information

June 2012 – London and Manchester

Do you want to learn about FOI quickly?

Do you want to gain an internationally recognised FOI qualification?

Do you have a limited training budget?

More Information available on our website or email us.

 

Act Now Book Draw – Week 8

The winner of last week’s Act Now Book Draw was Amy Ford from NHS Southampton City.

Next week’s book is Covert Investigation by Clive Harfield and Karen Harfield.

The next draw will take place on Wednesday 25th April at 9am. Click here to enter the draw.

If you enter the draw and win, you give us permission to let others know that you have won (by e mail, on our website and by Twitter). If you do not want us to do this, please do not enter the draw. Any information we receive through this free draw will not be used for any other purpose.

Act Now Book Draw – Week 7

The winner of last week’s Act Now Book Draw was Sue Gilbert from Coventry City Council.

Next week’s book is E-Privacy and Online Data Protection (Second Edition) by Susan Singleton.

The next draw will take place on Wednesday 11th April at 9am. Click here to enter the draw.

If you enter the draw and win, you give us permission to let others know that you have won (by e mail, on our website and by Twitter). If you do not want us to do this, please do not enter the draw. Any information we receive through this free draw will not be used for any other purpose.

Breaking (In) News from Sky


Is the Sky about to fall in on Rupert Murdoch? Yet again another of his news outlets is accused of breaking the law in the pursuit of a good story. Where will it end? Yesterday Sky News admitted in a statement that it had hacked emails belonging to members of the public on two separate occasions.

One incident involved targeting the accounts of a suspected paedophile and his wife. The other one involved the “dead canoeist” John Darwin. His wife Anne collected more than £500,000 in life insurance payouts while he hid in their marital home.  The pair were found guilty of the deception in 2008. In the run-up to the trial former Sky News managing editor Simon Cole agreed North of England correspondent Gerard Tubb could hack into Darwins’ Yahoo! email account. The full story can be read on the Guardian website.

The interesting aspect, from a legal perspective, is the legal repercussions for Sky News. It has stated:

 “We stand by these actions as editorially justified and in the public interest.”

Note that it says editorially justified, not legally.  As will be explained below, the offences involved do not contain a public interest defence.

Accessing a person’s computer (directly or remotely) without their consent to read their emails is a criminal offence under the Computer Misuse Act 1990 which is punishable with a fine or a term of imprisonment of up to 12 months. Section 1 (1) of the Act contains the elements of the offence:

(1) A person is guilty of an offence if—

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer or to enable any such access to be secured ;

(b) the access he intends to secure or to enable to be secured is unauthorised;

and

(c) he knows at the time when he causes the computer to perform the function that that is the case.

There is no public interest defence in the Computer Misuse Act. However section 11 states that no proceedings can be brought for a section 1 offence more than three years after the commission of the offence. Darwin’s emails were accessed in 2008 and therefore a prosecution under S.1 is not possible.

Sky may also have committed a criminal offence under Section 1 of the Regulation of Investigatory Powers Act 2000(RIPA).  Here there is not time limit for a prosecution. The Guardian reports:

“The broadcaster also published a voicemail message on its website, dated 19 May 2007, in which Anne Darwin is clearly heard leaving a message for her husband. The voicemail, part of an interactive graphic, ends with her saying “I’ll try and catch you tomorrow. Love you,” which the broadcaster said showed “she was doing as much of the running as he was”.”

Section 1 makes it a criminal offence to intercept a communication in the course of transmission.  The listening to stored voicemails as well as accessing stored e mails all potentially fall into this category. The maximum penalty for such an offence is two years imprisonment. Again there is no public interest defence.

Once again this case bring into focus the highly dubious tactics of the media when trying to obtain information “in the public interest”. The setting up of the Leveson Inquiry and the inquiry by the House of Commons Select Committee on Culture, Media and Sport meant that at first the primary concern was about allegations of phone hacking by the News of the World.  However it has now become clear that hacking phones was just one part of the unscrupulous journalist’s toolkit. It also included buying information from the police, blagging sensitive personal information from public and private sector organisations and the hacking politicians’ computers to gain access to  their e mails.

There is now a very strong case for tougher regulation of the media especially when it comes to covert surveillance activities. My view is that, amongst other things, they should be subject to more of the RIPA regime as at present they only have to comply with certain aspects (Part 1 Chapter 1 – Interception of Communications). (see my earlier blog post earlier Blog post  for more).

This is a difficult time for the Murdochs and  Sky News. The broadcaster’s parent company, BSkyB, is subject to a “fit and proper” investigation being conducted by the communications regulator, Ofcom, in the wake of the News of the World phone-hacking scandal. Cleveland police say that enquiries are ongoing into how the emails were obtained.

No doubt there is much more to come. As Kay Burley would say, “Stay with us…”

We have a serious of courses on RIPA and Surveillance which also over the changes in the Protection of Freedoms Bill.

See also our RIPA Forms Guidance Document.

Bigger Brother

The Coalition Agreement states that the government “will end the storage of internet and e mail records without good reason.”  This commitment is now in tatters as the Government wants the power to be able to monitor the calls, emails, texts and website visits of everyone in the UK.

The new law, which may be announced in the forthcoming Queen’s Speech in May, will require Internet firms to give intelligence agency, GCHQ, access to communications on demand, in real time. However it will not allow GCHQ to access the content of emails, calls or messages without a warrant. Civil liberties groups including Big Brother Watch have condemned this move as an unacceptable invasion of privacy.

At present Internet service providers are obliged to keep details of users’ web access, email and internet phone calls for 12 months, under the EU Data Retention Directive 2009. While they keep a limited amount of other data already on their own subscribers for billing and other commercial purposes, the new law will require them to store a much bigger volume of third party data such as that from Google Mail, Twitter, Skype and Facebook that crosses their servers every day.

This is not the first time this idea has been floated. In October 2010, the Government announced its intention to introduce the Interception Modernisation Programme, at a cost of  £2billion. This latest announcement seems to be the same project but renamed “the Communications Capabilities Development Programme (CCDP)”. Details of the scheme will be published within weeks and will build on Labour’s abandoned proposal  (which was heavily criticised by the Coalition partners at the time) to require communications service providers (CSPs) to collect and store the traffic details of all internet and mobile phone use, initially in a central database.

The Law

Access to Communications Data in the UK is already governed by Part 1 Chapter 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (sections 21-25). This sets out who can access what type of communications data and for what purposes. This includes the police and security services as well as councils, government departments and various quangos. The legislation restricts access to the different types of communications data depending on the nature of the body requesting it and the reason for doing so.

The definition of “communications data” includes information relating to the use of a communications service (e.g telephone, internet and postal service) but does not include the contents of the communication itself.  Such data is broadly split into three categories: “traffic data” i.e. where a communication was made from, to whom and when; “service data” i.e. the use made of the service by any person e.g. itemised telephone records; “subscriber data” i.e. any other information that is held or obtained by an operator on a person they provide a service to.

Some public bodies already get access to all types of communications data e.g. police, security service, ambulance service, customs and excise. Local authorities are restricted to subscriber and service use data and even then only where it is required for the purpose of preventing or detecting crime or preventing disorder.

At present access to communications data is done on a system of self authorisation. There are forms to fill (signed by a senior officer) out and  tests of necessity and proportionality to satisfy. Notices have to be served on the service provider requesting the data.

Real Time

It is unclear as to how the new proposals will be different from the current system. There is talk of the security services being able to access data in real time. The current system normally gives access to historic data. It does allow real time access to certain organisations (including the police and security services) but only in an emergency to save life or limb or in exceptionally urgent operations. The authorisation forms still have to be completed and signed and served later on though. Maybe they are suggesting that the security services get carte blanche direct access into communications service providers’ systems. This would be unprecedented and certainly “Orwellian” to say the least. The potential for abuse would be massive.

Updating the Law

The Home Office Minister says they are updating the law “in terms of social media and new devices” – it is widely expected to include things like Facebook and phone calls via web-based systems such as Skype. If this means the agencies knowing when an individual visits these sites this is already allowed under the current regime known as traffic data (web browsing information). If the new system goes further and allows agencies to look at actual webpages visited  within a domain (e.g Facebook) and calls made (e.g from Skype) this would be a big extension of existing powers and much more intrusive. It gives the possibility of building up a picture of someone’s lifestyle, their movements, contacts, interests etc.; potentially  vast a amount of information which, if it gets into the wrong hands, can be quite damaging to individuals.

Safeguards

At present the checks and balances are very weak (self authorisation followed by a notice to the CSP). The proposals, which talk of access in “real time” and “on demand”, require much stronger checks and balances.

If it is really necessary for GCHQ to have access to such a vast amount of information, it should be subject to judicial approval. This could be a similar system to the one which councils will be subject to as a result of the changes to the RIPA regime to be made by Protection of Freedoms Bill. In the future any local authority request for communications data (however minor) will have to be approved by a Magistrate. (See my earlier Blog Post for more detail about the Bill.) After all, the powers that the police and intelligence agencies have under RIPA to undertake surveillance and acquire communications data are much wider than those of local authorities.

There are also legitimate concerns about what would happen if the information held and accessed on individuals by GCHQ gets into the wrong hands. Can we really trust the law enforcement agencies not to mishandle such data? Only recently allegations have surfaced that that the police have been misusing their powers under RIPA to assist the tabloids to locate the whereabouts of celebrities and other persons of interest.

The Government needs to think carefully about its plans. If these new proposals are enacted there is a massive potential for misuse. It will provide a rich seem of information which may be bought by journalists from unscrupulous police and intelligence officers. This could lead to further erosion of trust in the police and Government. Of course “the Devil is in the detail” and we wait to see how the Government will address these concerns.

We have a series of courses on RIPA and Surveillance which also over the changes in the Protection of Freedoms Bill.

See also our RIPA Forms Guidance Document.

%d bloggers like this: