Note: this blog was published 20 hrs before the very sad news of the suicide of the nurse who was the subject of the hoax.
A quick blog about the press coverage of the prank call concerning Kate Middleton’s morning sickness. It appears that this has overlooked some interesting data protection aspects relating to criminal offences and monetary penalty notices
First is the prank an offence under Section 55 the Data Protection Act? At first sight, the answer is “yes” because the information released to the Australian radio presenters would be contained in personal data; even if Kate’s records were in paper form (i.e. Accessible Records), the information released would be from personal data and the disclosure would not have the consent of the data controller (The King Edward VII Hospital). Please note that I am assuming that the medical information disclosed by the nurse goes wider from that disclosed by the official announcements.
The only defence that is currently in place to the offence is that the obtaining of information contained in personal data is “in the public interest” – whatever that means. The normal punishment is a £5,000 fine.
As is well known, the Section 55 offence was to be made custodial (up to two years imprisonment) in line with the Computer Misuse Act. Although the legislation making this change has been enacted, it has not been activated.
Those changes also included a defence to the Section 55 offence specific for the press. So in the context of the radio presenters, there would be no offence if the presenters acted:
(i) for the special purposes, .
(ii) with a view to the publication by any person of any journalistic, literary or artistic material, and .
(iii) in the reasonable belief that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest”.
Well I think most of the tabloid press, if they had “done it” would have argued that any story based on this material would be “in the public interest” on the grounds that there is mammoth interest in the Kate’s pregnancy. I also think that even in the post Leveson era that the tabloid press would still think this was the case.
So an interesting question to ask is each editor is: "suppose an editor had obtained the Kate Middleton information, would they have run the story as an exclusive?".
Note also that the protection from the section 55 offence is aimed at protecting the investigative journalist or journalism that has a public interest. So we can see now that any opposition to this offence (which is prevelant in the press) has to be explored in terms of journalism that does not meet any "public interest threshold". I wonder what kind of journalism that is?
As is well known, the press are opposed to the other data protection recommendations from Leveson.
One of them reads as follows:
“The necessary steps should be taken to bring into force the amendments made to section 55 of the Data Protection Act 1998 by section 77 of the Criminal Justice and Immigration Act 2008 (increase of sentence maxima) to the extent of the maximum specified period; and by section 78 of the 2008 Act (enhanced defence for public interest journalism”.
In July 2011, Deputy Prime Minister Nick Clegg told the BBC for those guilty of obtaining personal information by deception - known as "blaggers" - to be jailed. By contrast, David Cameron is not convinced this is needed.
The second data protection issue is addressed to the data controller (The King Edward VII Hospital). Are they vulnerable to enforcement or a Monetary Penalty Notice? Are staff properly trained? Are there appropriate organisational measures to protect personal data from unauthorised disclosure?
Well obviously I can’t answer these questions, but I can provide list similar events that have resulted in enforcement (e.g. when sensitive personal data about one individual has been disclosed, let alone broadcasted to the planet). These cases are:
- On 15 February 2012, a monetary penalty of £80,000 has been issued to Cheshire East Council after an email containing sensitive personal information about an individual of concern to the police was distributed to 180 unintended recipients.
- On 14 March 2012 a monetary penalty of £70,000 was issued to Lancashire Constabulary following the discovery of a missing person’s report containing sensitive personal information about a missing 15 year old girl.
- On 30 April 2012 A monetary penalty of £70,000 has been issued to the Aneurin Bevan Health Board following an incident where a sensitive report - containing explicit details relating to a patient’s health - was sent to the wrong person.
- On 12 July 2012 a monetary penalty of £60,000 was issued to St George’s Healthcare NHS Trust after a vulnerable individual’s sensitive medical details were sent to the wrong address.
- On 25 February 2011, an undertaking to comply with the seventh data protection principle has been signed by Doncaster Metropolitan Borough Council. This follows the disclosure of third party data by the council during court proceedings.
- On 20 September 2011, an undertaking to comply with the third and seventh data protection principles has been signed by Eastleigh Borough Council. This follows the potential disclosure of a document containing sensitive personal data.
- On 17 October 2011, an undertaking to comply with the seventh data protection principle has been signed by Dumfries and Galloway Council. This follows the accidental online disclosure of current and former employee’s personal data in response to a Freedom of Information (Scotland) Act request.
- On 5 April 2011, an undertaking to comply with the seventh principle of the DPA has been signed by City of York Council, further to the inappropriate disclosure of an individual’s personal data, which occurred as a result of the information in question being erroneously included with documentation sent to an unrelated third party.
So in my view, is that the hospital’s review of “telephone protocols” might not be enough.
References
Clegg’s speech supporting the custodial sentences applying to journalists. http://www.bbc.co.uk/news/uk-politics-14150348
Advert
We are running a course leading to BCS’s Foundation Certificate in Information Security Management in January in London; ideal for data protection people wanting to understand best practice in information security management. See side panel for links to all details as well as our DP/FOI courses.
Re: >
I believe that 'in the public interest' means that publication is justified only if the benefit to the public outweighs the need for personal data protection.
Just because people are 'interested' does not mean that its publication is in the public interest...
Posted by: Brianwernham.wordpress.com | 11/12/2012 at 09:02 PM