Tag: data protection

High Court Judgment on Inspection of Personal Data

Posted on | by Anya Proops KC

The High Court has recently handed down an interesting judgment on the extent to which redacted personal data contained in documents disclosed in the course of litigation was vulnerable to inspection. The judgment also highlights some of the limits which may be placed on parties seeking inspection of databases containing personal data. In Webster & Ors v Ridgeway Foundation School Governors [2009] EWHC 1140 (QB), the claimants had brought claims against the governors of a school on the basis that they had suffered racially motivated assaults on school property. They alleged that the governors had caused or contributed to the injury by negligently failing to maintain proper disciplinary standards or otherwise taking proper care with respect to pupil security, particularly by allowing racial tensions to develop. During the course of standard disclosure, the governors disclosed a log of investigations into racist incidents, bullying and aggression in the school. Moreover, one of their witness statements disclosed the existence of a computerized system used to record pupil behaviour. The governors allowed inspection of the disclosed documents but redacted the names of purported victims of racism, bullying and aggression. The claimants sought disclosure of the redacted names and, further, of the computerized system. They argued that they needed to access this information in order to assess whether there were other pupils who might be able to provide useful evidence and that they had a right to inspect that information given that its existence had been disclosed by the governors.

Nicol J refused the claimants’ application for inspection of the redacted information and the computerized system. He held that that the mere fact that a document had been disclosed did not mean that there was an automatic right of inspection in respect of all of the information it contained, not least this was because some of the information in the disclosed document may not be relevant to the matters in issue. On the facts of the instant case, Nicol J found that inspection of the redacted names could and should be refused on the basis that: (a) it would amount to an interference with the privacy rights of the individual children named in the documents; and (b) that interference was not necessary in the instant case as the claimants did not need to know the identities of the purported victims in order to have a fair trial or for the fair disposal of the litigation (Science Research Council v Nasse [1980] AC 1028 HL applied). With respect to the computerized system, Nicol J accepted that mention of a document in a witness statement could be equated with inclusion of a document in a disclosure list and, hence, prima facie it would give rise to an obligation to permit inspection. However, he also held that that general proposition was subject to the qualifications contained in CPR 31.3, which included the right to object to disclosure on grounds of proportionality. Nicol J went on to find that permitting inspection of the computerized database would be disproportionate, particularly because: (a) the governors would have to redact the entire database to ensure that any private information relating to individual pupils and, further, any irrelevant information was not disclosed, which was a very substantial task and (b) undertaking this task was disproportionate having regard to any possible benefit for the claimants and the issues in the case. 

NHS SPINE – PERMISSION TO DELETE CARE RECORDS

Posted on | by Anya Proops KC

The creation of electronic summary patient records which can readily be accessed by medical teams on the NHS broadband computer system, known as the Spine, is one which has met with approval in many quarters. This is unsurprising given the potential health benefits resulting from clinicians being able to access such records. However, this approval has been tempered by concerns that the NHS, in common with other large-scale public authorities, may not be able to maintain appropriate levels of security with respect to this manifestly sensitive personal data. Yesterday the Guardian reported that, following talks between the ICO and Connecting for Health (CfH), the agency responsible for implementing the records scheme, CfH has now yielded to calls for NHS patients be given the right to have their summary care records deleted from the system (although deletion would not occur if the records had already been used, in which case they would be archived for medic-legal reasons). The right to have records deleted will be additional to the right already granted to patients to opt out of the scheme before a record is created for them. CfH’s decision to permit patients to have their record deleted represents a move away from earlier proposals that, where objections were made, the record would simply be ‘masked’ within the system. Notably, the news over changes to the care records scheme comes only days after it was revealed that records revealing personal data relating to tens of thousands of MOD personnel, which were lost last year, had contained not merely financial information but also highly sensitive vetting information. The revelations have been controversial because, whilst the loss was announced last year, neither Parliament nor the ICO were informed that the lost data included sensitive vetting data.

ABORTION STATISTICS AND PERSONAL DATA

Posted on | by Anya Proops KC

The Information Tribunal will this week begin hearing an important appeal against a decision of the Information Commissioner that certain abortion statistics relating to ground (e) abortions (abortions in cases of disability) were disclosable under section 1 FOIA. The appeal concerns in particular the interesting and difficult question of whether and to what extent ostensibly anonymous, statistical information can nonetheless constitute ‘personal data’ for the purposes of the personal data exemption provided for under section 40 FOIA. Before the Commissioner, the DH argued that, whilst the information in the abortion statistics does not per se identify any particular individual, because the statistics themselves relate to a relatively small number of cases, it would still be possible to identify particular patients and/or doctors who have carried out the abortions, particularly if the statistics were married either with other information held by the DH or already in the public domain. The Commissioner was not persuaded by that argument. He held that the statistical information was so far removed from the information on the Abortion Notification forms from which the information was derived that it no longer retained the attributes of personal data. The proposition that proximity to identifying information should be the barometer of whether particular anonymous information constitutes ‘personal data’ is likely to be hotly contested before the Tribunal. Watch this space for further news! Tim Pitt-Payne will be appearing on behalf of the Commissioner.

CCTV In the Dock

Posted on | by Anya Proops KC
A Home Office funded review on the effectiveness of CCTV cameras in the fight against crime has found that it has only a ‘modest impact on crime’. The review, undertaken by the Campbell Collaboration found that the use of CCTV was not effective in cutting vehicle crime in car parks, especially when used alongside improved lighting and the introduction of security guards. The review’s conclusions are likely to prompt further debate not only on the cost effectiveness of using CCTV as a weapon to cut crime (CCTV is now the single most heavily funded crime prevention measure operating outside the criminal justice system) but also on whether the pervasive use of CCTV within our society can be justified, particularly given its potential to interfere with the right to privacy.  Notably, The Home Office cited the review in the context of its response to the House of Lords Comittee on the Constitution Inquiry into ‘Surveillance: Citizens and the State’ (and see my earlier post on the Committee’s report). In its response, the Home Office stated that: In reviewing existing policies and processes, the Government will seek to ensure that due consideration is given to the following key principles: Are robust safeguards in place to protect the information and indiviudal liberties? Are our plans and actions proportionate to the damage and the threat they are seeking to prevent? Are we being as transparent as possible? Are citizens being given the right amount of choice?The Home Office’s response should be read in conjunction with the Information Commissioner’s response to the Committee’s report which was published in 15 April 2009.

 

Police DNA Database Cut Down to Size

Posted on | by Anya Proops KC

The Home Secretary, Jacqui Smith, will this week unveil plans to remove from the police national database DNA information relating to up to one million innocent people. The proposals come in the wake of the ECtHR’s judgment in Marper in December 2008 that the practice of retaining the DNA profiles of innocent people on the database constituted an unjustified interference with the Article 8 right to privacy. Privacy campaigners have welcomed this development but continue to lobby for further limitations on the database, including removing the DNA profiles for minor offenders. See further Tim Pitt-Payne’s article on the Marper judgment in the New Law Journal.

Super Database – Not so Super After All

Posted on | by Anya Proops KC

The Home Secretary has this week announced that proposals to create a State run super database, which would track everyone’s use of email, internet and text messages, have been scrapped. The announcement is hardly surprising. It was always going to be difficult to persuade the public that such a database could be kept secure, particularly in light of recent high profile controversies about large scale losses of electronic personal data by government agencies. Moreover, allowing the State to develop such a vast single repository of electronic communications data was always going to raise questions as to whether the resulting interference with private rights was proportionate and was otherwise consistent with the State’s obligations under the Data Protection Act 1998. The Government has now issued a consultation paper on new plans to allow telecommunications companies to retain the communications data for a period of 12 months. See further the Home Secretary’s Ministerial Statement.