Directives often contain a notification provision which place each Member State under an obligation to report certain activities to the European Commission. Following a FOI request to the Commission, it has emerged that the UK Government has ignored its notification obligations in relation to the Data Protection Directive; this raises the general question of whether notification requirements in Directives are effective.
With respect to the processing of sensitive personal data without the consent of the individual concerned (e.g. processing details of an individual’s health, criminal offences, ethnicity, religion or sexual life) there is considerable doubt as to whether the UK Government has transposed the Directive’s sensitive personal data provisions properly into the UK’s Data Protection Act.
Notification is not some trivial, bureaucratic, pen-pushing requirement. In the Passenger Name Records (PNR) Directive, for example (see last week’s blog), there is a requirement for Member States to provide the Commission with the identity of the “competent authorities” who receive PNR data. If these details are not provided by Member States, then Europe’s citizens cannot identify which national organisations are using PNR data or begin to assess whether that use is legitimate.
Additionally, important comparisons cannot be made: if the British were to have 20 competent authorities and the Germans 5, then questions might be asked as to whether the UK were disclosing PNR data too widely.
The failure by the UK to notify other sensitive personal data purposes
When a Member State interferes with an individual’s private and family life, transparency is a cornerstone of accountability and trust. With respect of the processing of sensitive personal data without the consent of the data subject, the UK Government has only notified 1 of the 19 processing purposes it should have notified. There are 5 further purposes relating to matters such as law enforcement but these do not need to be notified to the Commission (see Article 3(2)).
The FOI request reveals that only four countries have notified eleven additional sensitive personal data provisions: Denmark(1); Finland(2); Netherlands(7) and the UK(1) and two of the Dutch ones that are seven years old are marked as “temporary”. The actual UK total should be 19 notified purposes (plus 5 where there is no obligation to notify). See references for complete list of the notified eleven, and the missing UK eighteen.
With 18 additional conditions so far identified by the UK, one wonders how other EU countries have coped without them? Perhaps the British Government is over legislating in the field of the processing of sensitive personal data? Who knows – but transparency is the important step that allows these questions to be asked. Such transparency has been absent.
However, the overriding suspicion is that most EU countries (like the UK) are not reporting the additional uses of sensitive personal data that have been authorised. If this non-reporting occurs, what confidence can the public have when other Directives contain similar reporting arrangements (e.g. as with the PNR Directive)? If these provisions are neglected by Member States, what is the point of making such reporting a legal requirement? And what care has the European Commission taken to ensure that effective reporting does take place?
These are important questions that need an answer from the Commission and Member States.
Is the processing of sensitive personal data lawful?
The relevant provision of the Directive that requires additional uses of sensitive personal data (except health – see later) to be notified states that:
“Subject to the provision of suitable safeguards, Member States may, for reasons of substantial public interest, lay down exemptions in addition to those laid down in paragraph 2 either by national law or by decision of the supervisory authority” (Article 8(4); my emphasis)
Note that any additional processing purpose for sensitive personal data has to be associated with a “substantial public interest” and be subject to “suitable safeguards”. As can be seen by studying some of the UK additional uses, some conditions do not require a “substantial public interest” to exist or even provide for any additional “suitable safeguards”. The question arises therefore is whether these additional purposes are consistent with the text of the Directive, and whether they have been properly transcribed into UK law.
What is also surprising is that the Commission does not bother to insist that Member States provide the obvious facts that need notifying; namely, a description of the “substantial public interest” in the additional processing purpose and of the “suitable safeguards” that have been provided? This suggests that the Commission itself is possibly indifferent about the importance of these notification requirements.
Note also that Article 8(4) permitted the Government to allow the Information Commissioner to determine whether the additional processing of sensitive personal data was legitimate. This would have been the best option in terms of privacy outcomes, as the Commissioner would have to assess any additional processing of sensitive personal data in the context of a full data protection compliance check.
Because of this, it is easy to see why this would not appeal to a UK Government. If a Government Minister wanted his Department to use sensitive personal data to realise a political or policy objective, then that Minister would not want to risk that an unelected, independent official stopping them on data protection grounds. (See “Nine Principles...” reference if you are interested in this aspect).
The wider uses of medical records are not notifiable to the Commission, but even here questions arise as to whether the Directive provisions have been properly transcribed into UK law. Here, the Directive states that it is only legitimate to process health data, (in the absence of patient consent, remember) “...where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services...”. Note that the list is limited to four purposes.
Compare that with the UK implementation which states that “...medical purposes include the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services”. Note that the list of medical purposes is unlimited (by the use of the word "include") and that any other medical related purposes (e.g. medical research) is not specified in the Directive’s limited list.
Thus the UK Act implementation included an attempt to facilitate a medical research purposes using health personal data without the consent of the data subject contrary to the text of the Directive; additionally that medical research purpose did not need to possess a “substantial public interest”. See references for recent research into the use of medical records for research purposes without consent of the patient.
Today the Prime Minister is promoting the “Big Society” and encouraging people to do those things that Government find difficult. So I can proudly announce that Hawktalk has joined the Big Society; it has reported to the Commission what the Government has failed to do.
The Commission’s list of notified additional purposes for the processing of sensitive personal data for all EU Member States (Download Commission_list_notifications_feb2011). Because of the paucity of the content, I asked the Commission to expressly confirm that they had provided me complete and up-to-date information. This confirmation has been received.
List of processing purposes that the UK should have notified to the Commission (including those purposes where there is no need to notify) (Download Haktalk_list_not_notified_feb2011).
Academic analysis, “Using NHS Patient Data for Research Without Consent”: accessible from http://papers.ssrn.com/abstract=1753029
“Nine principles for assessing whether privacy is protected in a surveillance society (Parts 1 and 2) – 2008”; accessible from http://www.amberhawk.com/policydoc.asp
Adverts re Data Protection courses
Our Spring UPDATE session is on 11th April in London: follow the link for details of speakers and content on our web-site (at £195+VAT for the day it is a real double dip recession busting snip). We are also running a Privacy Impact Assessment Course, a RIPA course and a Data Protection Audit on consecutive dates (21st to 23rd March).
We are starting a 5-day intensive data protection course in Leeds (beginning 3rd March) and London (10th May), and a 7-day course starting in Manchester in (12th may) . These courses cover the DP ISEB syllabus and prepare delegates for the examination in April 2011, although you do not need to be seeking the qualification to attend.
Details from the Amberhawk website (www.amberhawk.com)