The last Labour Government did it in spades and now the Coalition has followed suit. What is “it”? Why enacting legislation that grants Ministers wide ranging and unchecked powers concerning the processing of personal data of course. Don't worry: it's just our health records.
About two weeks ago, a colleague at the British Computer Society asked me a simple question: “Does the Health and Social Care Bill, currently before Parliament, permit medical research without patient consent?”.
Having waded through 400 pages of legislation, I think the answer is “yes”; this blog explains why. I also suggest amendments to ensure that the process is subject to a semblance of Parliamentary scrutiny, unpopular though this concept appears to be.
The Health and Social Care Bill establishes an “Information Centre” whose role is to “promote the effective, efficient and economic use of resources” in the NHS and Local Authority social work care. The term in quotes clearly can involve a wide range of functions: from “research into how best to focus care” (i.e. as efficient health services need medical research) to “how to stop non UK residents obtaining free health care” (i.e. it’s economic to check entitlement prior to providing services).
Perhaps even, in future, an intelligent Minister might justify the creation of a mega-medical database of patient data in terms of efficiency! Perish that thought but look at Clause 250(1)(a) if you want a chapter and verse.
In the early days of widespread data sharing to counter benefit fraud, the Audit Commission used the term “effective, efficient and economic use of resources” to argue that it legitimised its data matching, anti-fraud initiatives. I say this not to decry data matching; merely to point out that the term “effective, efficient and economic use” has, shall we say, a high degree of flexible interpretation to be used by those with powers.
The powers in the Bill (in clause 251) permit the Secretary of State to give directions to the Information Centre. These directions include those purposes that are “necessary or expedient ....in connection with the provision of health care” or “in the interests of the health service” (where a test of "necessity" or "expediency" is not even required).
Did you get the gist? Another set of very flexible terms! As in for example: I am short of money and I think it expedient not to pay my tax bill (i.e. to follow the Greek model of taxation).
Once directions are given, the Information Centre is given powers to “require” (i.e. oblige local authorities and NHS bodies) or request (i.e. ask anybody else) for information to be disclosed to it. The Bill then says that “any provision of information (to the Centre)... does not breach any obligation of confidence but is subject to any express restriction on disclosure imposed by or under any Act...” (Clause 255(7)).
So, if the Secretary of State issues a direction in the context of medical research, the obligation of confidence (e.g. owed by a NHS body) is set aside. As the Data Protection Act does not provide an “express restriction on disclosure”, then disclosure for a medical purpose can proceed without patient consent (assuming no other legislation provides that express prohibition).
Of course, patients have to be told about any research purpose (via a fair processing notice) and might be able to subsequently exercise their right to object (on the grounds that the processing causes unwarranted substantial distress or unwarranted substantial damage). However, this has to be recognised as a fig leaf of privacy protection that has little value.
So what should be done? I think four steps need to be drafted into this Bill (at least):
(1) Where a Ministerial direction concerns the processing of personal data that is likely to set aside an obligation of confidence, the Information Commissioner must be consulted as to the content of the direction before that direction is issued.
(2) If the Information Commissioner is of the view that the direction concerns a matter that Parliament should review, then the direction should only be issued after Parliament has expressly approved the content of a direction (i.e. positive affirmation).
(3) Any Ministerial direction must be accompanied with a report that justifies its need; such a report should be laid before Parliament.
(4) The Information Commissioner should be empowered to ask the Courts to annul a Ministerial direction on the grounds that the direction is likely to result in processing of personal data that does not respect an individual’s private life (i.e. is in breach of Article 8 of the Human Rights Convention).
In the dark ages of New Labour’s surveillance state, I produced an analysis entitled “Nine principles for assessing whether privacy is protected in a surveillance society” (see references below).
What the above shows is that the passing of that Government has not diminished the urgent need to provide checks and balances on the possibility that wide ranging powers will be used by over-zealous Ministers.
The “Nine Principles...” analysis is in two parts. Part 1 explains why the current framework of privacy protection in the UK is deficient especially in the face of wide ranging powers as in this Bill; Part 2 sets out nine principles that rectify the problems identified in Part 1 and promotes specific improvements to the data protection/human rights regime : from http://www.amberhawk.com/policydoc.asp
Data Protection/FOI courses We have a PIA course coming up in London very soon (early December); places still available. There is a full set of data protection courses in Manchester (Jan 2012) and London (Jan 2012). Our next FOI course is in Leeds (Feb 2012). Details on the Amberhawk website. Next UPDATE timetabled for March 26th.