Email marketing under PECR and the Data Protection Act

I have just had published an article on PECR and Data Protection in the context of email marketing. I think it might be useful to practitioners so I have added it to the blog. It combines the marketing rules under PECR with the Data Protection obligations and goes into the overlap between subscriber, user and data subject. The article will be useful for practitioners from the public and private sector data controllers, as well as those sitting the ISEB exam.

Enjoy reading. I had a heavy teaching load last week, so that explains the absence of a blog. Hope this makes up!

To download the article, just click on the link Download Article_marketing by electronic mail_dec2011_v2

Does the Health Care Bill permit medical research without patient consent?

The last Labour Government did it in spades and now the Coalition has followed suit. What is “it”? Why enacting legislation that grants Ministers wide ranging and unchecked powers concerning the processing of personal data of course. Don't worry: it's just our health records.

About two weeks ago, a colleague at the British Computer Society asked me a simple question: “Does the Health and Social Care Bill, currently before Parliament, permit medical research without patient consent?”.

Having waded through 400 pages of legislation, I think the answer is “yes”; this blog explains why. I also suggest amendments to ensure that the process is subject to a semblance of Parliamentary scrutiny, unpopular though this concept appears to be.

The Health and Social Care Bill establishes an “Information Centre” whose role is to “promote the effective, efficient and economic use of resources” in the NHS and Local Authority social work care. The term in quotes clearly can involve a wide range of functions: from “research into how best to focus care” (i.e. as efficient health services need medical research) to “how to stop non UK residents obtaining free health care” (i.e. it’s economic to check entitlement prior to providing services).

Perhaps even, in future, an intelligent Minister might justify the creation of a mega-medical database of patient data in terms of efficiency! Perish that thought but look at Clause 250(1)(a) if you want a chapter and verse.

In the early days of widespread data sharing to counter benefit fraud, the Audit Commission used the term “effective, efficient and economic use of resources” to argue that it legitimised its data matching, anti-fraud initiatives. I say this not to decry data matching; merely to point out that the term “effective, efficient and economic use” has, shall we say, a high degree of flexible interpretation to be used by those with powers.

The powers in the Bill (in clause 251) permit the Secretary of State to give directions to the Information Centre. These directions include those purposes that are “necessary or expedient ....in connection with the provision of health care” or “in the interests of the health service” (where a test of "necessity" or "expediency" is not even required).

Did you get the gist? Another set of very flexible terms! As in for example: I am short of money and I think it expedient not to pay my tax bill (i.e. to follow the Greek model of taxation).

Once directions are given, the Information Centre is given powers to “require” (i.e. oblige local authorities and NHS bodies) or request (i.e. ask anybody else) for information to be disclosed to it. The Bill then says that “any provision of information (to the Centre)... does not breach any obligation of confidence but is subject to any express restriction on disclosure imposed by or under any Act...” (Clause 255(7)).

So, if the Secretary of State issues a direction in the context of medical research, the obligation of confidence (e.g. owed by a NHS body) is set aside. As the Data Protection Act does not provide an “express restriction on disclosure”, then disclosure for a medical purpose can proceed without patient consent (assuming no other legislation provides that express prohibition).

Of course, patients have to be told about any research purpose (via a fair processing notice) and might be able to subsequently exercise their right to object (on the grounds that the processing causes unwarranted substantial distress or unwarranted substantial damage). However, this has to be recognised as a fig leaf of privacy protection that has little value.

So what should be done? I think four steps need to be drafted into this Bill (at least):

(1) Where a Ministerial direction concerns the processing of personal data that is likely to set aside an obligation of confidence, the Information Commissioner must be consulted as to the content of the direction before that direction is issued.

(2) If the Information Commissioner is of the view that the direction concerns a matter that Parliament should review, then the direction should only be issued after Parliament has expressly approved the content of a direction (i.e. positive affirmation).

(3) Any Ministerial direction must be accompanied with a report that justifies its need; such a report should be laid before Parliament.

(4) The Information Commissioner should be empowered to ask the Courts to annul a Ministerial direction on the grounds that the direction is likely to result in processing of personal data that does not respect an individual’s private life (i.e. is in breach of Article 8 of the Human Rights Convention).

In the dark ages of New Labour’s surveillance state, I produced an analysis entitled “Nine principles for assessing whether privacy is protected in a surveillance society” (see references below).

What the above shows is that the passing of that Government has not diminished the urgent need to provide checks and balances on the possibility that wide ranging powers will be used by over-zealous Ministers.

References

The “Nine Principles...” analysis is in two parts. Part 1 explains  why the current framework of privacy protection in the UK is deficient especially in the face of wide ranging powers as in this Bill; Part 2 sets out nine principles that rectify the problems identified in Part 1 and promotes specific improvements to the data protection/human rights regime : from http://www.amberhawk.com/policydoc.asp

Advert

Data Protection/FOI courses We have a PIA course coming up in London very soon (early December); places still available. There is a full set of data protection courses in Manchester (Jan 2012) and London (Jan 2012). Our next FOI course is in Leeds (Feb 2012). Details on the Amberhawk website. Next UPDATE timetabled for March 26th.

Proposals for new Data Protection Directive or Regulation in January 2012

The EU Justice Commissioner Viviane Reding, Vice-President of the European Commission, and the German Federal Minister for Consumer Protection, Ilse Aigner, have come forward with a joint statement claiming that proposals to reform the 1995 Data Protection Directive will be published by the end of January 2012.

I have annotated their statement with obvious comments that have come to mind. It is clear that their promise for “to achieve a robust data protection framework for Europe's internal market that can successfully address the challenges of today's digital world” is at odds with the UK view that there is little to change (see references).

The joint statement says the following:

"Data protection is highly relevant for consumers and businesses regardless of borders. It therefore needs to be addressed at the European level, through high, common European standards with global appeal. The Lisbon Treaty provides Europe with a unique opportunity to modernise and strengthen data protection rules now. We both believe that as a result of this reform process, consumers in Europe should see their data strongly protected, regardless of the EU country they live in and regardless of the country in which companies, which process their personal data, are established”

Comment: if true, this promises a much. The relatively weak data protection regime “enjoyed” by UK citizens following Durant appears to coming to an end.

“We both believe that companies who direct their services to European consumers should be subject to EU data protection laws. Otherwise, they should not be able to do business on our internal market. This also applies to social networks with users in the EU. We have to make sure that they comply with EU law and that EU law is enforced, even if it is based in a third country and even if its data are stored in a 'cloud'.” (my emphasis)

Comment: this will not appeal to USA companies selling services into Europe. I expect the USA to argue that the European Union is practising economic protectionism justified in terms of a bogus privacy requirement. Facebook is also on notice to reform its privacy practices.

“In modernising the EU's data protection rules, we believe that consumers must be more empowered than they are today. Users should be in control of their data. This is why in our view, EU law should require that consumers give their explicit consent before their data are used. And consumers generally should have the right to delete their data at any time, especially the data they post on the Internet themselves.” (my emphasis)

Comment: Quick memo to marketing department. Please note that “explicit consent” is not an “opt-out”; lots of love; data protection officer! Also the right to delete is almost as impracticable as a right to forget (see references); it is not the way to deal with this issue.

“We will work closely together to make sure that the modernisation of the EU’s data protection rules addresses these issues and that the EU’s data privacy principles are turned into a reality for consumers and businesses everywhere in Europe."

Comment: note that the above commentary is limited to business personal data and does not include anything about extension of a new data protection directive to law enforcement. Reading the runes, I think this means that new data protection regime could well become split into two; one component relating to upgrading Directive 95/46/EC without the law enforcement and another component dealing with just the law enforcement elements.

This in turn increases the prospect of a Regulation just to upgrade Directive 95/46/EC as the contentious law enforcement extension has been separated off for detailed discussion in a further initiative.

Also politically, I sense that the UK is in a weak position as euro-zone Ministers are getting fed up with the barracking comments from UK finance ministers to “get your house in order”. I am begininning to wonder whether the euro-sceptic tone from the UK means that any UK view on european data protection standards will be quietly sidelined.

Indeed, one way that Sarkozy, Murkel et al “can get pay-back” at the UK is to impose Euro-standards of data protection, by Regulation, on the UK. Afterall, it won't cost them a penny but they know it would sure upset the Brits.

References:

UK Government position re data protection: http://amberhawk.typepad.com/amberhawk/2011/05/government-approach-to-any-new-data-protection-directive-revealed-by-ministers-speech.html

Commission’s view of what is wrong with the UK’s implementation of the Data Protection Act; detailed reasons available from references at end of http://amberhawk.typepad.com/amberhawk/2011/05/privacy-new-government-revelations-amplify-concerns-surrounding-deficiencies-in-uks-data-protection-.html

Forget about the right to forget: http://amberhawk.typepad.com/amberhawk/2011/03/data-protection-forget-about-a-right-to-forget.html

Reding/Aigner statement is. http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/11/762&format=PDF&aged=0&language=EN&guiLanguage=en.

Data Protection/FOI courses We have an audit and PIA course coming up in London very soon. Places still available. There is a full set of data protection courses in Leeds, London and Edinburgh. Our FOI courses are in London (currently underway) and Leeds (in 2012). Details on the Amberhawk site  

ICO’s view on the data protection issues and challenges ahead

I have just delivered a talk at today's NADPO conference and was followed by Jonathan Bamford, Head of Strategic Liaison, at the ICO’s office. A few things he said I was unaware of – so here goes.

The ICO is concerned that the CCTV/ANPR provisions in the Freedoms Bill are limited to police and local authorities whereas CCTV and ANPR technology is widely used by others (e.g. in private car parks), and in an equally potentially invasive way. I got the impression the ICO has asked to Government to modify the Bill so that the CCTV/ANPR provisions could be extended, by order, to other bodies that employ this technology. Will this change be made? Watch this space.

The ICO’s current advice on crime mapping is being revised and will be reissued in the light of experience. The Government want to release more and more detailed information on crime statistics as it is politically popular, so much so, that the release such detail is becoming problematic. For example, does one really need to pin-point on a map (e.g. within 6 houses or so), those houses that have reported an incidence of domestic violence? It is these issues that the ICO is raising with civil servants; reading the runes, I don’t think the Government is listening.

Statistics were presented that show that, since November 2007, there have been 1880 data breach notifications. The breakdown shows that 553 data losses were the result of “disclosure error”, 404 in relation to "lost data/hardware" and 518 in relation to s"tolen data/hardware". These statistics show that nearly 80% of data breaches fall into these three categories. So if you ever wanted a pointer as to what areas to check up on first, then procedures in these three areas are the ones to choose.

In relation to “consensual audit”, the provisions detailed in the statutory Code of Practice on Data Sharing will be assessed by the ICO’s audit staff (if an audit concerns disclosure of personal data). Since 30% of data losses fall into the category “disclosed in error”, I reckon disclosure procedure is the priority area to check.

Remember, the statutory Data Sharing Code of Practice has to be taken into account if any disclosure goes “pear shaped”; it is therefore a very important Code to consider. If you are checking in this area, also include subject access procedures and the disclosure of personal data, relating to other identifiable individuals, under subject access procedures. (There are some Undertakings which treat a mistaken disclosure of third party data when dealing with a SAR as a reportable data loss – see references).

Although Local Authorities have been subject to Monetary Penalties, the implication was that the NHS bodies would attract some penalties soon.

In relation to some carefully crafted commentary on the use of criminal records in employment, I gained the following impressions: (a)  that the Government has promised something in the Freedoms Bill to deal with the issue of an individual not gaining employment because of a caution relating to a minor offence committed decades ago (e.g. nicking some sweets twenty five years ago); and (b) that promise has yet to be realised.

Finally, the ICO is planning to issue a Code of Practice on “anonymisation”. This will contain detailed advice for public authorities who will increasingly provide such anonymous details as a result of the “right to data” in the Freedoms Bill. It will also cover the situation where a recipients of anonymous data attempt to reconstruct the personal data using data from other sources. This Code will be a very interesting read, and I have already told my psychiatrist.

If anyone is interested in my NADPO presentation, I attach it here. It deals with the Accountability Principle (expected in the forthcoming reform of the Data Protection Directive), and my view that such a Principle exists already in the UK Act. In the UK context, all the Principle lacks is the unannounced data protection audit which the ICO wants.The presentation reviews the audits and undertakings from the last 6 months.

Other things were raised in the talk, but I have blogged on these before (see references)

References:

Blogs that contain details of the changes to the  Data Protection regime that the ICO wants:

(1) http://amberhawk.typepad.com/amberhawk/2011/09/information-commissioner-
criticises-the-data-protection-and-freedom-of-information-regimes.html

(2)  http://amberhawk.typepad.com/amberhawk/2011/09/ico-criticises-data-protection-compliance-by-local-authorities-and-cannot-understand-attitude-of-ban.html

My NADPO presentation re Accountability Principle: download here Download BLOG_NADPO_NOV2011_ACCOUNTABILITY

Data Protection/FOI courses

We have an audit and PIA course coming up in London very soon. Places still  available.

There is a full set of data protection courses in Leeds, London and Edinburgh Our FOI courses are in London (currently underway) and Leeds (in 2012). Details on the Amberhawk site