The Data Protection Act (in force since March 2000, implementing the European Union Directive on processing personal data and giving effect to the Gaskin judgment) exists to ensure that people’s right to respect for the privacy and confidentiality of personal details about themselves is upheld. But there has never been any absolute guarantee of privacy in UK law; the doctrine of confidentiality has always given way to competing public interests in particular situations.
The NHS and local authorities are bound by the Data Protection Act, with regard to rules about processing data and subject access rights to that data. The guidance to the NHS built on earlier information about the doctrine of confidentiality called The Protection and Use of Patient Information, in HSG (96)18. These bodies are obliged to ensure that any arrangement made with a third party to process personal data on behalf of the body is made in a written contract requiring compliance with the law.
Each authority must have a Data Protection officer and that officer must provide advice and guidance on the Act, and co-ordinate the authority’s implementation of the Act. Each must also have a Liaison Officer with responsibility for policy on personal information and to ensure that the rules governing subject access and security are adhered to.
Each body’s Data Protection Officer needs to be aware of the Act and regulations made under it, and the thrust of guidance from the DH and from the Information Commissioner. In 1999 the NHS Information Authority issued an Action Plan designed to ensure that the NHS complies with the Act, without the need for legal advice at every turn. Guidance was sent to local authorities and health authorities in advance of the DPA 1998 coming into force. DH guidance on rights to access to health records sets higher standards than the Act in some respects. Transitional rules apply to personal data in a health record until 24 October 2007, to varying degrees. The starting date for the Second Transitional Period is 24 October 2001.
The first principle of the Act requires fair and lawful processing of data. All bodies therefore have to abide with the common law doctrine of confidentiality to meet this requirement. The Data Protection Act goes further than that, however, by regulating the purposes for which the information may be used by the holder.
The 1998 Act repealed the 1984 Act and repealed the Access to Personal Files Act 1987 and most of the Access to Health Records Act 1990. The DPA will eventually apply to all personal data no matter when compiled. This includes manual data which form part of an accessible record.
Health records and social services records count as s68 accessible records – ie records which can be accessed. If someone asks for their case record it means all the records held by the department.
The definition of Personal data includes any expression of opinion about the individual or any indication of intentions of the authority towards the person.
The DPA sets out 8 principles of data protection, listed in schedule 1 part I; the principles limit the reasons for which personal data may be obtained, and specify how data may be used. Schedule 2 lays down the conditions required for the purposes of fair and lawful processing of any personal data, and Schedule 3 specifies the extra conditions relevant to the processing of sensitive personal data.
Personal data should be obtained, in the first place, only for one or more specified and lawful purposes. It should be collated with regard to adequacy, relevance and proportionality in relation to the purpose for which it is processed. It should be accurate and kept up to date. It should not be kept longer than is necessary. All data controllers are (unless specifically exempt) obliged, before they can process personal data at all, to notify key details of their processing to the Commissioner and these details are entered on a public register.
The Act aims to ensure that confidentiality of information is respected, and to provide for consistency of treatment of data, amongst staff, providers etc. It is important for staff to know the purposes for which the data is used, who can use it, to whom it can be disclosed, and whether and for how long it will be held in a form in which it could identify individuals.
The Act requires that in order to satisfy the fair processing requirement of the Act, in the case of sensitive personal data, the consent of the person concerned (where it is required) must be explicit. Consent is the informed indication of the wishes of the data subject, that he or she agrees to personal data being processed. Consent cannot be inferred from a non-response to a communication or from a mentally incapacitated person.
The concept of processing data covers obtaining it, recording it, holding it or carrying out organisation, adaptation, alteration, retrieval or disclosure of it; under the new law, all files and indexes or relevant manual filing systems count as records.
Unless one or more the conditions appearing below applies, processing of sensitive personal data is expressly prohibited by the DPA. The most relevant conditions are:
The processing is necessary in order to protect the vital interests of the data subject or another person in a case where consent cannot be given by or on behalf of the data subject or the controller cannot reasonably be expected to obtain the consent of the data subject or where the data subject unreasonably withholds information necessary to protect the vital interests of another person
The processing is necessary for the exercise of any functions conferred by or under any enactment
The processing is necessary for medical purposes and is undertaken by a health professional or a person owing a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.
Who is covered?
The clients covered by the Act’s rules might be individuals, households, families, or groups in receipt of a service, so long as they are all individuals.
A data subject is any individual who is the subject of personal data so it would not apply to companies or partnerships or organisations providing social care, although their staff could be individual data subjects.
Who is a recipient?
The definition of a recipient of data does not include persons to whom disclosure is, or may be, made as a result of or with a view to a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law. This is consistent with the principle that other statutory agencies have a right to the information without it counting as disclosure and hence without any need for consent for that sharing.
This definition is crucial, in our view to good co-operation in joint working, particularly with the police. The local authority can say it is not a recipient of data, because it is a corporate person to whom disclosure will be made, with a view to a particular inquiry by that authority, made in the exercise of a power conferred by law – eg s47 NHSCCA, regarding the assessment of risk to the client.
The form of processing constituted by disclosure is specifically allowed in the interests of compliance with statutory and legal obligations.
The department is supposed to maintain a list of third party recipients to whom disclosure is specifically allowed, for their own social services purposes. Examples are suggested as being local authority approved authorised organisations e.g. voluntary organisations, health professionals, the police, the ombudsman etc.
The ADSS code of practice
It is a part of the Code of Practice created by the Association of Directors of Social Services Information Management Group that staff must not mislead clients as to the purpose for which the information is required, nor exaggerate the extent of their legal authority to request it.
The Code emphasises that at the time of collection all data subjects and providers are to be informed that in the interests of the individual and where there is a shared purpose, personal data may be shared with other organisations. Consent is one of the key conditions, at least one of which must be met when processing data, but there are others which make the collection and disclosure of the information in social services files easily justifiable by staff involved in joint working.
However, that does not mean that good practice should be ignored, and the Code encourages the seeking of consent even where one of the other conditions has been met (such as the use of data for Crime and Disorder purposes, or that of sharing data and joint working).
Good practice in record keeping is highlighted in the guidance. It suggests that the person’s agreement to sharing information within the organisation should be obtained, but this is in guidance as to practice, not the law. Authorities are expected to have polices on retention and disposal of records and procedures for the determination of information-related disputes.
In terms of best practice, once it becomes apparent that it will be necessary to create a record about a data subject, the authority should provide the individual concerned with:
a copy of the department’s leaflet on information policy,
information regarding the fact that a record will be created and maintained,
a description of the purpose for which the data are to be kept and processed and
whether or not the information is required in the exercise of the department’s statutory powers,
information regarding others within the authority or external to it to whom it can be reasonably anticipated data would be disclosed without the consent of the data subject, and
an explanation of the subject’s right of access to the data and
an explanation that the record will so far as is possible be constructed jointly by the staff member and the subject, that information to be sought from third parties will normally only be so sought with the consent of the individual and that the security of the personal data is safeguarded.
Staff are supposed to include in the records of clients and providers indications of the source of the information, be it the subject or a third party and whether or not the facts have been verified.
The Code stresses that sensitive personal information about racial or ethnic origins, political opinions, religious beliefs, membership of a trade union, details of physical or mental health or condition, details of a person’s sex life, or of any commission or alleged commission by him or her of any offence, and the final disposal of any such proceedings, deserves particularly careful attention before sharing.
An Overview of the approach since 2007
Following the Court of Appeal judgment in Durrant, the Information Commissioner’s Office (ICO) published guidance on the meaning of “personal data”. In the Durrant case, the Court narrowed the definition by holding that data would only be defined as personal data in a document where the information related only to that individual, and affected that individual’s privacy when he or she was the focus of the document and not just mentioned in it. The ICO original guidance focussed on what was not covered by the term personal data. In this latest guidance it seeks to produce guidance with a greater emphasis on what is covered by the term using a number of useful examples. The guidance is in line with the Data Protection Act 1998 and the EC Directive 95/46/EC (the European Data Protection Directive)
For the purposes of the Act and the Directive the term Data now covers four types of data:
o Electronic data
o Data forming part of a relevant filing system
o Data forming part of an accessible record (other than electronic or relevant filing system)
o Data recorded by a public authority
Previous guidance issued by the ICO states that in most cases it will be obvious if the data being processed, either in electronic or a manual format relates to an identifiable individual and consequently whether the processing concerns personal data. However there may be occasions when it is less clear whether the data is personal data or not.
Is the ‘data’ ‘personal data’?
The guidance states that an individual must be distinguishable from others in the group. Sufficient information such as a name and address may be required in order to do this but may not always be the case. Unique identifying features of an individual may also suffice. A combination of data about gender, age and grade or salary may enable the identification of a particular employee even without a name or job title. However, whether or not the individual is identifiable will depend on “all the means likely reasonably used either by the controller or by any other person to identify the said person” If there is only a possibility that an individual might be identified through close analysis of the data, this will not be sufficient to make it identifiable.
Where data is not obviously about an identifiable individual the guidance suggests a number of questions which should be asked which may help decide whether data is personal data.
o Could the data be processed to learn, record or decide something about an individual?
o As a consequence of the processing could you learn or record something about an identified individual?
o Could the processing have an impact on or affect an identifiable individual?
There will be cases where data is not itself personal data but in certain circumstances it will become personal data where it can be linked to an individual to provide particular information about that individual.
Example: Salary details for a particular job may not by itself, be personal data, but where linked to a named employee, the salary information will become personal data.
Another example might concern data about a house where it is linked to an individual or used in deliberations or decisions concerning an individual. In both cases the data relates to the individual because the purpose of processing that data is to learn something about the individual.
A single piece of data which is not data for one data controller may become personal data when it passed to another data controller.
Example: A photo taken of revellers in Trafalgar Square on New Years Eve by a photo journalist for his photo library and a similar photo taken by a police evidence gatherer in order to identify potential troublemakers. The photo in the possession of the journalist is not personal data but in the hands of the police will become personal data. Whether or not data is personal data in the hands of one party and not another will therefore depend on the purpose and potential impact of the processing of the data.
Where information is not obviously about an individual or clearly linked it may be necessary to consider ‘biographical’ information. This means whether the data goes beyond recording the individual’s casual connection with matter or event which has no personal connection.
Example: An attendee listed in the minutes of a meeting where the minutes have significance for the individual in that they record the individual’s whereabouts at a particular time.
Focus of the information
Whether the remaining contents of the minutes contain information of biographical significance (and constitute personal data) will be determined by the ‘focus’ of the minutes.
Example: where an individual’s suitability for a post is discussed, the record of these discussions will be personal data
Where the focus of a meeting is about one or a number of individuals such as in the example above, then it is likely that the minutes held as data will be personal data about those individuals. The personal data will include not only those facts about the condition or behaviour of the individual discussed but any third party opinions or any intentions of any person in respect of that individual. Whether comments made about a particular individual constitute ‘personal data’ will depend on the capacity in which the speaker made the comments. In other words whether the individual was giving a personal opinion or putting forward views on behalf of another. The views of a company or organisation expressed by its agent are not personal data about the agent.
Objects or things
Where information is processed to monitor an object or thing such as a machine, it is unlikely to be ‘personal data’ unless the information gathered is also used to monitor an individual such as the productivity of the person who operates the machine. If this type of information is linked to an individual to learn something about them then it will become personal data.
There may be occasions where the data controller occasionally processes information to learn something about an individual. Even though it is not the purpose of the processing by the data controller; information gained about an individual in this way will become personal data.
Example: A taxi firm which records the movements of its vehicles by using tracking devices for business efficiency and customer service. If the control centre for the taxi firm uses this tracking system to locate and contact individual taxi drivers for reasons unconnected with the business (such as a request by a family member) the data will be personal data as the processing has an impact on the individual.
What is relevant in this example is whether the processing of the information has or could have a resulting impact upon the individual, even though the content of the data is not directly about that individual, nor is there any intention to process the data for the purpose of determining or influencing the way the person is treated.
There still may be occasions where there is uncertainty about whether data is personal data. As a matter of good practice, data controllers should still treat the information with care and ensure it is disposed of securely. Other issues concerning ‘personal data’ can be found in the appendices to the guidance at www.informationcommissionersoffice.com