The creation of electronic summary patient records which can readily be accessed by medical teams on the NHS broadband computer system, known as the Spine, is one which has met with approval in many quarters. This is unsurprising given the potential health benefits resulting from clinicians being able to access such records. However, this approval has been tempered by concerns that the NHS, in common with other large-scale public authorities, may not be able to maintain appropriate levels of security with respect to this manifestly sensitive personal data. Yesterday the Guardian reported that, following talks between the ICO and Connecting for Health (CfH), the agency responsible for implementing the records scheme, CfH has now yielded to calls for NHS patients be given the right to have their summary care records deleted from the system (although deletion would not occur if the records had already been used, in which case they would be archived for medic-legal reasons). The right to have records deleted will be additional to the right already granted to patients to opt out of the scheme before a record is created for them. CfH’s decision to permit patients to have their record deleted represents a move away from earlier proposals that, where objections were made, the record would simply be ‘masked’ within the system. Notably, the news over changes to the care records scheme comes only days after it was revealed that records revealing personal data relating to tens of thousands of MOD personnel, which were lost last year, had contained not merely financial information but also highly sensitive vetting information. The revelations have been controversial because, whilst the loss was announced last year, neither Parliament nor the ICO were informed that the lost data included sensitive vetting data.
Tag: data sharing
Recent conference papers
On 11 KBW’s main website, you can now find some conference papers delivered this month by members of chambers.
There’s a paper that I gave at a Northumbria University conference. The theme of the conference was information sharing; my paper is about the new law on breach of confidence (post-Campbell v MGN).
Yesterday, the LGG/11KBW legal update conference took place, with about 115 delegates. Karen Steyn gave a paper on recent case-law affecting local authorities; the first section is about information law. I gave a paper about employment vetting. In discussion, delegates were clearly very interested in getting to grips with the new ISA barring regime. Questions were raised about its implications for elected members of local authorities, and for volunteers (e.g. parents helping out in schools).
Another subject raised in discussion was the recent decision of the Administrative Court in R(G) v Governors of X School and Y City Council. A music assistant employed at a primary school was dismissed; the allegation was that he had formed an inappropriate relationship with a 15 year old boy who was on work experience at the school. The school’s disciplinary committee told the employee that they would be reporting the case to the Secretary of State for potential inclusion in “list 99” (i.e. the statutory list of those banned from working in schools). The Court quashed the decision because the school had refused to allow legal representation at the dismissal hearing or at a forthcoming appeal. The disciplinary proceedings, and the referral to the Secretary of State for a potential banning direction, formed part of one and the same proceedings. Those proceedings were not criminal in nature for the purpose of article 6 of the Convention. However, their potential consequences were grave; and procedural fairness required the claimant to be allowed legal representation, before both the school’s disciplinary committee and its appeal committee.
A problem shared is a breach of the DPA?
It’s a good time for a conference about information sharing. The data sharing provisions in the Coroners and Justice Bill have been withdrawn, in the face of widespread criticism – including from the Bar Council (for more background, see our previous posts here and here). The question whether anything will be done to implement last year’s Thomas/Wolpert review remains an open one.
Against this background, Northumbria University’s conference on 17th April is topical. Speakers include Richard Thomas (coming to the end of his term as Information Commissioner), Marcus Turle from Field Fisher Waterhouse, and Steve Eccleston from Sheffield City Council. I shall be delivering a paper about breach of confidence and its significance for information sharing (I will post it on the 11KBW website after the conference).
The Age of Internet Surveillance
With effect from today, all UK internet service providers (“ISP”) will be required to retain data relating to every email which is sent and every online telephone call which is made using their services. The data, which must be stored by ISPs for 12 months, will not include the content of the email or the call. It will however include the date, time, duration and routing of the online communication as well as information as to the internet subscriber or user. The obligation to retain this data is imposed under the Data Retention (EC Directive) Regulations 2009 (“the Regulations”). The regulations were enacted in order to bring into effect the provisions of the Data Retention EU Directive 2006/24/EC. The Directive was itself enacted in response to concerns that a lack of consistency of approach to data collection across Europe, particularly in the field of internet communications, was hampering the fight against crime, including international terrorism. The effect of the Regulations, which come into force today, is that the data retention principles which already apply to telecoms providers under the Data Retention (EC Directive) Regulations 2007 will now also apply to internet providers. As well as retaining the communications data, the internet service provider must afford access to particular data where they are required to do so by law (regulation 7). They must also abide by certain principles relating to the protection and security of the data (regulation 6).
A suitable case for recruitment
Information law overlaps with employment law in two main ways, in relation to employment vetting and employment monitoring. Broadly speaking vetting is about the enquiries that an employer can make before recruitment, and monitoring is about checking on the performance and behavior of existing employees.
The legal framework for employment vetting is changing radically, as the Safeguarding Vulnerable Groups Act 2006 is brought into force. The Act implements the Bichard Report, which followed an inquiry into the notorious 2002 Soham murders. It establishes a new vetting and barring scheme for those working with children or vulnerable adults, to be operated by a statutory body called the Independent Safeguarding Authority (ISA).
With effect from 20th January 2009, the ISA was given responsibility for decision-making under the 3 existing employment barring lists: the education list, (popularly known as “List 99”), the PoCA list (for those working with children) and the PoVa list (for those working with vulnerable adults). As from 12th October 2009 these 3 lists will be replaced by two new lists introduced by section 2 of the 2006 Act and maintained by the ISA – the children’s barred list and the adults’ barred list. Employers, social services and professional regulators will have a duty to share information with the ISA. From July 2010, new entrants to roles working with vulnerable groups and those switching jobs within the sector will be able to register with the ISA, and employers will be able to check registration status online. The legal requirement for new entrants and those moving jobs to register with the ISA, and for employers to check on their status, will come into force by November 2010. The intention is to bring the whole of the existing workforce into the scheme by 2015.
I will be delivering a paper about employment vetting at the Local Government Group conference on 29th April, and the paper will be available on 11KBW’s website after the conference. For consideration of whether the existing PoVA list is compatible with articles 6 and 8 of the European Convention on Human Rights, see R (ota Wright) v Secretary of State [2009] UKHL 3. For the timetable for implementing the 2006 Act, see here and here.
Rowntree Report on Database State
The Joseph Rowntree Reform Trust has today published its report ‘The Database State’. The report purports to amount to the most comprehensive map of central government databases yet created. In total 46 databases across the major government departments were considered in the report, including, for example, the national DNA database, the national pupil database, the NHS detailed care record system and the automatic number-plate recognition system. In summary, the report concluded that:
- a quarter of the 46 databases reviewed were ‘almost certainly illegal under human rights or data protection law; that they should be scrapped or substantially redesigned’ (including, for example, the Contactpoint index of all children in England and the national DNA database – on the latter database, see further the January 2009 post on the Marper case);
- ‘more than half have significant problems with privacy or effectiveness and could fall foul of a legal challenge’ (including, for example, the NHS Summary Care Record and the National Pupil Database);
- fewer than 15% were ‘effective, proportionate and necessary with a proper legal basis for any privacy instrusions’;
- Britain was generally out of line with other developed countries as a result of its comparably greater tendancy to centralise and share records on sensitive matters like healthcare and social services; that ‘the benefits claimed for data sharing are often illusory’.
Along with the House of Lords Report on the Surveillance Society published in February 2009 (see further the February 2009 post on the Lords Report), this report is likely to increase pressure on the Government to reexamine a raft of policies on data collection, management and storage.
https://www.jrrt.org.uk/uploads/Database%20State.pdf
Executive Summary:
https://www.jrrt.org.uk/uploads/Database%20State%20-%20Executive%20Summary.pdf