Attorney General v BBC [2022] EWHC 1189 (QB) – High Court considers what information can be made public about alleged MI5 CHIS

In a judgment handed down on 18 May 2022 the High Court has considered what information be BBC can publish in a story pertaining to the actions of an alleged MI5 covet human intelligence source (“CHIS”).

The BBC alleged that X was a CHIS and had been psychologically and sexually abusive to two female partners.

The judgment can be found here: https://www.bailii.org/ew/cases/EWHC/QB/2022/1189.html

The judgment is in two parts- one heard in public and the other in private. The private hearing was held to be necessary so that the Court could hear submissions about information that, if released to the public, would make the identity of the alleged CHIS known.

Mr Justice Chamberlian comments: “The court must be alert to the possibility of “jigsaw” identification. One piece of information may on its own seem innocuous, but when taken together with other information known to a particular malign actor, it may lead to the identification of an individual with greater or lesser confidence. The threat of jigsaw identification is a familiar feature of arguments against disclosure in closed material proceedings in the national security context. It is regularly deployed as a basis for refusing to disclose information known only from covert sources. But, although the court must be alive to the threat of jigsaw identification, it must also be astute not to allow the threat to justify a blanket prohibition on disclosure of any piece of the jigsaw.

at p.24

The BBC’s article on the case can be found here: https://www.bbc.co.uk/news/uk-61528286

The intial BBC coverage of this matter here: https://www.bbc.co.uk/news/uk-61508520

And details of one of X’s former partners’ legal action to be taken against MI5 here: https://www.bbc.co.uk/news/uk-politics-61521569

Citation: The Guardian: Privacy laws could be rolled back, government sources suggest – A rebuttal

The Guardian has a piece suggesting, following the judgment of the UK Supreme Court this week in ZXC, that privacy laws could be rolled back by replacements to the Human Rights Act.

Following the judgment in ZXC a government spokesperson has stated: “A free press is one of the cornerstones of any democracy. The government recognises the vital role the media plays in holding people to account and shining a light on the issues which matter most. We will study the implications of the judgment carefully.”

Whilst political sources are usually careful not to criticise judges, the balance between freedom of expression and privacy rights of individuals is a contentious area, drawing critical voices from both sides of the debate. TPP advocates balance between the two competing rights.

It should be noted that whether someone has a reasonable expectation of privacy in respect of information regarding a criminal investigation pre-charge is still a highly fact-sensitive and nuanced approach. The court has set a general presumption. But it reflects a careful case-by-case approach in which all the circumstances of a case are taken into account.

The finding in ZXC does not to say there cannot be a case where criminal investigations pre-charge can be made public by the press. This involves a balancing of privacy rights against freedom of expression- the second limb of the well-entrenched test. Its notable that this second limb was not at issue in ZXC.

Therefore, ZXC serves to reinforce pre-existing caselaw, particularly following the Cliff Richard case, in finding that pre-charge details of a criminal investigation fall within ones reasonable expectation of privacy. This then needs to be rebutted by freedom of expression, and one would posit, public interest arguments.

The suggestion from the Government that “there should be a presumption in favour of upholding the right to freedom of expression, subject to exceptional countervailing grounds, clearly spelt out by parliament” is a dangerous one.

As the ZXC judgment rightly points out- neither privacy rights nor freedom of expression takes precedence over the other. The rights have, importantly, always been couched as equally weighted. Both rights are fundamental to a democratic society.

The government wading into such a sensitive process is concerning. Not least by touting criticised approaches to reforming the Human Rights Act. The safeguarding of an individuals privacy, allowing for autonomy, is as fundamental to a democratic society as a free press.

Examine the cases and a fact-sensitive highly nuanced approach to balancing the competing fundamental democratic rights of privacy with freedom of expression readily emerges.

Judges are acutely sensitive to this fact in striving to independently adjudicate complex matters of fact and law. The Meghan Markle case is one of the recent examples of where the balance between privacy and expression has been bought to debate in the public consciousness. The Brett Wilson’s Media Law Blog comes to the defence of privacy and the judiciary- an approach which TPP endorses.

To circle back around- ZXC has ensued a fresh wave of criticism in an area which has typically been at the cutting edge of this debate- the rights of those suspected of criminal activities. And, I add with emphasis here, at pre-charge stage without applying the second limb of the two-stage test.

Again the law makes a the critical distinction here. Open justice and public interest rightly hold sway at a post-charge stage.

And even in these circumstances balancing competing rights comes into play. In the right to be forgotten cases of NT1 and NT2, the right to privacy has evolved and reinforces the right to be forgotten where “the right to be left alone” presents itself.

And, as the court rightly observes in ZXC, where factors to be considered are drawn into lists, such as the Murray factors, these are non-exhaustive. This serves contextual approach serves as “a legitimate starting point”- it affords judges the leeway to take into account fact-sensitive nuances in cases and balance the countervailing rights. Because that is what is takes to safeguard both fundamental rights.

For those interested in this debate I highly recommend Hugh Tomlinson QC’s article in the Guardian: Privacy law: what’s the way ahead?

Bloomberg v ZXC: UK Supreme Court finds that suspects of crime have a reasonable expectation of privacy in investigation details pre-charge

Judgment has been handed down by the UK Supreme Court in the appeal in the case of Bloomberg v ZXC. The court has found for the respondent, refusing the appeal.

The case has significant implications for the law of privacy. It endorses the finding in the Cliff Richard case and provides crucial precedent on the reasonable expectation of privacy suspects of crime can expect. TPP will have further coverage of the judgment shortly. See the judgment here.

“The courts below were correct to hold that, as a legitimate starting point, a

person under criminal investigation has, prior to being charged, a reasonable

expectation of privacy in respect of information relating to that investigation and that

in all the circumstances this is a case in which that applies and there is such an

expectation.”

at p.146

Top 10 Defamation Cases 2021: a selection – Suneet Sharma

Inforrm reported on a large number of defamation cases from around the world in 2020.  Following my widely read posts on 2017,  2018,  2019 and 2020 defamation cases, this is my personal selection of the most legally and factually interesting cases from England, Australia and Canada from the past year.

Please add, by way of comments, cases from other jurisdictions which you think should be added.

  1. Fairfax Media Publications Pty Ltd; Nationwide News Pty Limited; Australian News Channel Pty Ltd v Voller [2021] HCA 27

The controversial finding of the majority of the High Court of Australia that news organisations were publishers of third-party comments on their Facebook pages.

Mr Voller brought defamation proceedings against a series of media organisations alleging that each of the applicants became a publisher of any third party comment on its Facebook once it was posted an read by another user. He was successful at first instance and the successive appeals against the finding was rejected.  The position was summarised as follows

“each appellant intentionally took a platform provided by another entity, Facebook, created and administered a public Facebook page, and posted content on that page. The creation of the public Facebook page, and the posting of content on that page, encouraged and facilitated publication of comments from third parties. The appellants were thereby publishers of the third-party comments” [105].

Inforrm had a post about the decision.

The Australian Government are already proposing to reverse the effect of this decision by statute – see the Inforrm post here.

  1. Lachaux v Independent Print Limited [2021] EWHC 1797 (QB)

In the latest instalment in the long running saga of the Lachaux libel litigation, Mr Justice Nicklin dismissed the Defendants’ public interest defence and ordered the publishers of The Independent, The i and the Evening Standard newspapers to pay £120,000 in libel damages to aerospace engineer Bruno Lachaux. The defendants falsely alleged he had, amongst other things, been violent, abusive and controlling towards his ex-wife, that he had callously and without justification taken their son away from her, and that he had falsely accused his ex-wife of abducting their son.

The Judge provided important commentary on the standards to be upheld by defendants seeking to establish the public interest defence to what would otherwise be considered defamatory coverage.  He said:

I have no hesitation in finding that it was not in the public interest to publish [Articles], which contained allegations that were seriously defamatory of the Claimant, without having given him an opportunity to respond to them. The decision not to contact the Claimant was not a result of any careful editorial consideration, it was a mistake …journalists and those in professional publishing organisations should be able to demonstrate, not only that they reasonably believed the publication would be in the public interest, but also how and with whom this was established at the time…

Informm had a case comment as did, 5RB.

The saga has not yet concluded.  The defendants have been granted permission to appeal and their appeal will be heard by the Court of Appeal on 12 April 2022.

3. Hijazi v Yaxley-Lennon[2021] EWHC 2008 (QB)

A case concerning a short altercation between two pupils on the playing field of Almondbury Community School in Huddersfield. A video was taken of the incident which subsequently “went viral”, just after the perpetrator of the altercation was expelled from school. He later received a caution for common assault for the incident.

On 28 and 29 November 2018 Mr Yaxley-Lennon used his Facebook account to post two videos of himself giving his opinion on the incident. He suggested, contrary to narratives emerging from media coverage of the altercation, that some of the sympathy toward Mr Hijazi (the claimant) were undeserved as he had committed similar violence.

Both videos were found to be defamatory of Mr Hijazi

In finding for the claimant after the substantive trial, Mr Justice Nicklin stated:

“The Defendant’s allegations against the Claimant were very serious and were published widely. The Defendant has admitted that their publication has caused serious harm to the Claimant’s reputation. The consequences to the Claimant have been particularly severe. Although it was media attention on the Viral Video that first propelled the Claimant (and Bailey McLaren) into the glare of publicity, overwhelmingly that coverage (rightly) portrayed the Claimant as the victim in the Playing Field Incident. The Defendant’s contribution to this media frenzy was a deliberate effort to portray the Claimant as being, far from an innocent victim, but in fact a violent aggressor. Worse, the language used in the First and Second Videos was calculated to inflame the situation. As was entirely predictable, the Claimant then became the target of abuse which ultimately led to him and his family having to leave their home, and the Claimant to have to abandon his education. The Defendant is responsible for this harm, some of the scars of which, particularly the impact on the Claimant’s education, are likely last for many years, if not a lifetime.”

There was an Inforrm Case Comment

4.  Abramovich v Harpercollins Publishers Ltd & Anor [2021] EWHC 3154 (QB)

Chelsea FC owner Roman Abramovich succeeded at a preliminary issue trial on meaning. Mrs Justice Tipples found that all nine of the meanings of allegations relating to Abramovich’s purchase of Chelsea FC “on the directions of President Putin and the Kremlin” were defamatory.

The case concerned a claim of defamation against Catherine Belton and publisher Harper Collins of allegations made in the her book, Putin’s People: How the KGB Took Back Russia and Then Took On The West.

5.   Vardy v Rooney [2021] EWHC 1888 (QB) Inforrm Case Comment

Known as the “Wagatha Christie litigation” this concerned a claim of defamation brought by Rebekah Vardy against Coleen Rooney. The case stems from series of statements published by the defendant on her public Instagram account. Mr Justice Warby, previously found that the statements meant:

Over a period of years Ms Vardy had regularly and frequently abused her status as a trusted follower of Ms Rooney’s personal Instagram account by secretly informing The Sun newspaper of Ms Rooney’s private posts and stories, thereby making public without Ms Rooney’s permission a great deal of information about Ms Rooney, her friends and family which she did not want made public.

This part of the litigation concerns the claimants attempts to strike out and claim summary judgment. A number of paragraphs of the Amended Defence were struck out in relation to allegations of the claimants’ publicity seeking behaviour.

  1. Nettle v Cruse [2021] FCA 93

Sydney based plastic surgeon Dr Nettle refused to operate on Ms Cruse. Cruse posted comments which were highly defamatory of Dr Nettle throughout 2018. This included creating a website in the URL of Dr Nettle’s name. Allegations ranged from failing to keep records confidential to performing unauthorised surgeries. The court found in Dr Nettles favour concluding:

“Dr Nettle has proved that he was defamed by Ms Cruse in four publications in 2018.  Judgment will be entered for Dr Nettle with damages payable by Ms Cruse assessed at $450,000.  Injunctions restraining Ms Cruse from republishing the four impugned publications, or the imputations which have been found to be conveyed by them, will be made permanent.  Ms Cruse will also be ordered to pay Dr Nettle’s costs of the proceeding.”             

  1. Webb v Jones [2021] EWHC 1618 (QB)

A libel claim arising from Facebook postings. The claimant failed to comply with the pre-action protocol and failed to provide particulars of publication context in her pleading until three months after service of the Claim Form.  The defendant’s application for strike out in this case was successful.  The case provides useful guidance on the procedural niceties of conducting a libel claim. Inforrm has a case comment. 

  1. Corbyn v Millett [2021] EWCA Civ 567

The respondent issued defamation proceedings against Jeremy Corbyn in respect of an interview he gave on the Andrew Marr Show in which he had referred to people in the audience as “Zionists” who “don’t understand English irony”.  Saini J held that this made a defamatory allegation of fact.  Mr Corbyn, appealed.  Warby LJ held that the judge did not err in finding that the words ‘disruptive’ and ‘abusive’ were statements of fact?  The appellant was “presenting viewers with a factual narrative”.  He also held that the Judge’s approach to  ‘bare comment’ had been correct and there was no error of law in the finding that imputation were defamatory at common law?

  1. Greenstein v Campaign Against Antisemitism [2021] EWCA Civ 1006

A libel claim against the Campaign Against Antisemitism after the Campaign referred to Greenstein in a series of five articles published on its website. The appeal was against an order striking out particulars of malice and judgment entered into in favour of the Campaign. In upholding the first instance decision, Dingemans LJ reiterated the principles to finding malice from Horrocks v Lowe [1975] AC 135.

  1. Chak v Levant2021 ABQB 946

Rebel Media founder Ezra Levant, was ordered to pay damages of $60,000, following Leonard J finding he defamed a political science professor and former Liberal candidate during a 2014 Sun News broadcast. Levant claimed Farhan Chak “shot up” a nightclub when he was 19 years old.

Quotes from caselaw 6: HRH The Duchess of Sussex v Associated Newspapers Ltd [2021] EWCA Civ 1810- Megan Markle successful in defending appeal by Mail on Sunday

An appeal against the finding for summary judgment for her misuse of private information and copyright claim.

The appellant was granted permission appealed the elements of the case on seven grounds:

i) The new evidence issue: Whether the new evidence provided by each of the
parties should be admitted.

ii) The nature of the attack issue: Whether the judge mistakenly failed to
recognise the significance and importance of the People Article’s attack on Mr
Markle.

iii) The reasonable expectation of privacy issue: Whether the judge adopted a
flawed analysis of the factors undermining the Duchess’s alleged reasonable
expectation of privacy.

iv) The appropriate test issue: Whether the judge wrongly stated the test, by
suggesting that the defendant had to justify an interference with the claimant’s
right of privacy, when the proper approach was to balance the competing article 8 and 10 rights.

v) The right of reply issue: Whether the judge wrongly applied a strict test of
necessity and proportionality to Mr Markle’s right of reply to the People Article.

vi) The public interest/article 10 copyright issue: whether the judge failed
properly to evaluate the interference with article 10, saying that it would be a
rare case in which freedom of expression would outweigh copyright.


vii) The fair dealing copyright issue: whether the judge wrongly relied on his
privacy analysis to reject the fair dealing defence to breach of copyright, bearing
in mind the limited scope of the copyright in the Letter and the wide scope of
the concept of reporting current events.

The Sir Jeoffery Vos decided against the defendant on all grounds dismissing the appeal, in a unanimous judgment, stating summarily:

Essentially, whilst it might have been proportionate to disclose and publish a very small part of the Letter to rebut inaccuracies in the People Article, it was not necessary to deploy half the contents of the Letter as Associated Newspapers did. As the Articles themselves demonstrate, and as the judge found, the primary purpose of the Articles was not to publish Mr Markle’s responses to the inaccurate allegations against him in the People Article. The true purpose of the publication was, as the first 4 lines of the Articles said: to reveal for the first time [to the world] the “[t]he full content of a sensational letter written by [the Duchess] to her estranged father shortly after her wedding”. The contents of the Letter were private when it was written and when it was published, even if the claimant, it now appears, realised that her father might leak its contents to the media.

p.106

Quotes from caselaw 5: Lloyd v Google LLC [2021] UKSC 50 – no one size fits all claim available in data protection “Safari Workaround” class action

In one of the most significant privacy law judgments of the year the UK Supreme Court considered whether a class action for breach of s4(4) Data Protection Act 1998 (“DPA”) could be brought against Google of its obligations as a data controller for its application of the “Safari Workaround”. The claim for compensation was made under s.13 DPA 1998.

The amount claimed per person advanced in the letter of claim was £750. Collectively, with the number of people impacted by the processing, the potential liability of Google was estimated to exceed £3bn.

“The claim alleges that, for several months in late 2011 and early 2012,
Google secretly tracked the internet activity of millions of Apple iPhone users and used the data collected in this way for commercial purposes without the users’ knowledge or consent.”

Lord Leggatt at p.1

The class action claim was brought under rule 19.6 of the Civil Procedure Rules.

Lord Leggatt handed down the unanimous judgement in favour of the appellant Google LLC:

“the claim has no real prospect of
success. That in turn is because, in the way the claim has been framed in order to try to bring it as a representative action, the claimant seeks damages under section 13 of the DPA 1998 for each individual member of the represented class without attempting to show that any wrongful use was made by Google of personal data relating to that
individual or that the individual suffered any material damage or distress as a result of a breach of the requirements of the Act by Google.”

At p.159

It should be noted that the claim was brought under the Data Protection Act 1998 and not under the GDPR.

See the full judgement here. The Panopticon Blog has an excellent summary.

Quotes from caselaw 4: PJS v News Group Newspapers Limited [2016] UKSC 26 – privacy rights are broader than just confidentiality

It is a rare case where an application for a interlocutory injunction succeeds despite an article on the subject already being published. Such was the case in PJS, one of the most significant English law cases concerning privacy law to date.

The leading judgment was handed down by Lord Mance. It concerned the grant of an injunction to keep details of an extra marital affair between a claimant of great renown being published by the press.

Lord Mance observes the fact that privacy is a zonal right justifying protection, differing in character from the right of confidentiality. The esteemed judge highlights previous cases at paragraphs 58 and 59 of the judgment, endorsing the well entrenched approach from the Court of Appeal.

He characterises privacy, rightly, as extending beyond the bounds of confidentiality. In doing so ones private life becomes a space that should remain, in certain circumstances, free from intrusion.

However, claims based on respect for privacy and family life do not depend on confidentiality (or secrecy) alone... “unwanted access to private information and unwanted access to [or intrusion into] one’s … personal space”

Lord Mance at p.58-59

Concluding Lord Mance opined on the capacity of the internet to change perceptions of privacy. He acknowledged that the courts need to remain cognizant of this. In doing so he affirmed the findings of previous caselaw, gave credence to commentators and noted the implications of tweeting and blogging:

 I also accept that, as many commentators have said, that the internet and other electronic developments are likely to change our perceptions of privacy as well as other matters – and may already be doing so. The courts must of course be ready to consider changing their approach when it is clear that that approach has become unrealistic in practical terms or out of touch with the standards of contemporary society. However, we should not change our approach before it is reasonably clear that things have relevantly changed in a significant and long-term way. In that connection, while internet access became freely available in this country only relatively recently, almost all the cases listed at the end of para 59 above were decided since that happened, and many of those cases were decided after blogging and tweeting had become common.

Lord Mance at p.70

TPP has commented further on the PJS case here.

Citation: INFORRM Blog, ZXC v Bloomberg LP: Privacy and Reputational Harm – Jeevan Hariharan

The INFORRM Blog has an excellent post on the inter-related nature of privacy and reputational harms.

Whether an individual has a reasonable expectation of privacy that outweighs the public interest in cases where there has been an investigation, but no charge, by the police is an imminent case before the Supreme Court in the case of ZXC v Bloomberg LP.

The case is before the UK Supreme Court on 30 November and 1 December next week and was cited by Hariharan in his analysis of the proximity between privacy and reputational harms.

The Court of Appeal judgment can be found here. The Court found that there could be a reasonable expectation of privacy in the fact of a police investigation. This builds upon notable caselaw such as the Cliff Richard case.

ICO launches consultation on the Draft Journalism Code of Practice

The ICO’s consultation on its Draft Journalism Code of Practice has begun.

Be sure to have your say- the deadline to submit responses is 22 January 2022.

The Code covers privacy safeguards among many other topics. In particular, it covers the journalism exemption under the Data Protection Act 2018 and its broad exemption that disapplies requirements to holding and processing data.

Journalism should be balanced with other rights that are also
fundamentally important to democracy, such as data protection and the
right to privacy.

at p.4

The Code substantively addresses the safeguarding of journalism under the exemption, briefly touching on balancing a free press against privacy rights before going on to discuss how this balance is struck under data protection laws:

Why is it important to balance journalism and privacy?


It is widely accepted that a free press, especially a diverse press, is a
fundamental component of a democracy.

It is associated with strong and
important public benefits worthy of special protection. This in itself is a public
interest.

Most obviously, a free press plays a vital role in the free flow of

communications in a democracy. It increases knowledge, informs debates
and helps citizens to participate more fully in society. All forms of journalistic
content can perform this crucial role, from day-to-day stories about local
events to celebrity gossip to major public interest investigations.

A free press is also regarded as a public watch-dog. It acts as an important
check on political and other forms of power, and in particular abuses of
power. In this way, it helps citizens to hold the powerful to account.

However, the right to freedom of expression and information should be
balanced with other rights that are necessary in a democratic society, such
as the right to privacy. The public interest in individual freedom of expression
is itself an aspect of a broader public interest in the autonomy, integrity and
dignity of individuals.

The influence and power of the press in society, and the reach of the

internet, means that it is particularly important to balance journalism and
people’s right to privacy.

This code provides guidance about balancing these two important rights by
helping you to understand what data protection law requires and how to
comply with these requirements effectively.

at p.25

Healthcare data and data protection in the time of coronavirus – Olivia Wint

The processing of special category personal data (including health data e.g. vaccination status, blood type, health conditions etc) was a common topic before the COVID-19 pandemic (the “pandemic”), with various resources published that explored this topic.

For example, the European Data Protection Board (“EDPB”) published an adopted opinion on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation* (“GDPR”) (23January 2019), the Information Commissioner’s Office (“ICO”) posted a blog on why special category personal data needs to be handled even more carefully (14 November 2019) and the ICO published guidance on the lawful basis for processing special category data compliance with the GDPR (November 2019).

The pandemic has brought about a number of data protection considerations, all of which were already in existence but exacerbated by the pandemic (employee monitoring, contact tracing, workforce shift from office to home etc.) One that is more prevalent than ever before is the processing of health data, this piece aims to cover some key data protection themes and practical insights into the processing of health data.  

Health data, a subset of special category personal data by its very nature comes with an increased risk profile.  When processing this data type, not only are there legislative data protection requirements, the expectation of good clinical governance practices but also regulatory body considerations too.                                                           

For example, the NHS Care Quality Commission have in place a code of practice on confidential personal information, the NHS Health Research Authority have in place GDPR guidance specifically for researchers and study coordinators and technical guidance for those responsible for information governance within their organisation and the NHS more generally, has in place it’s Data Security and Protection Toolkit (the “Toolkit”). The Toolkit is an online self-assessment tool that enables organisations to measure and publish their performance against the National Data Guardian’s ten data security standards. The Toolkit covers records management and retention, training and awareness, system vulnerability management and crisis management to name a few.                                                                  

The above is all on a national level (UK), on an international level, there are data protection laws which specifically cover health data such as HIPAA in the US, the Patient Data Protection Act in Germany, and various provincial health data privacy laws in Canada such as the Health Information Act in Alberta.

Whilst the previous paragraph highlights the complexities of processing health data whether on a national and international level in comparison to other data types, there are a number of mitigations that organisations can put in place to adequately reduce the risks associated with processing this type of data. Mitigations such as Data Protection Impact Assessments (“DPIAs”), updated privacy notices and appropriate security measures amongst other things should all be considered.

Many organisations that never historically processed health data may now do so as a result of the pandemic…

Covering your bases

The first base that must be covered when processing data is ensuring that an appropriate legal basis has been established for each data processing activity, so for example if health data is processed for employee monitoring and research, a legal basis for both of these activities will need to be established. Legal bases can include for the performance of a contract, for legitimate interests** of the organisation and/or in order to perform a legal obligation.  Where processing of health data is concerned an additional category under Article 9 of the UK GDPR must be met. In the healthcare context, applicable additional categories may include explicit consent, health or social care purposes, public health purposes and/or archiving research and statistical purposes. 

Many organisations that never historically processed health data may now do as a result of the pandemic or alternatively organisations that processed health data pre-pandemic may now be doing so in larger amounts, organisations that fit either side of the coin should also assess the extent to which their privacy notice(s) have been updated and/or need to be updated in order to make data subjects aware any applicable data processing changes and to comply with transparency obligations.

Next, large scale processing of health data may pose a ‘high risk to the rights and freedoms of natural persons’ and in such cases, will trigger the requirement of a DPIA. In order for a DPIA to have value, it is important for organisations to ensure that the DPIA is assessed and considered early on to ensure privacy by design and default is incumbent of any system or processing activity.

A DPIA will assess the likelihood and severity of harm related to the processing activity in question and should the DPIA identify a high risk with no available mitigations, consultation with the ICO will be needed. The ICO has set out a 9-step lifecycle for the DPIA, all of which should be considered before any data processing has taken place:

  1. Identify a need for a DPIA;
  2. Describe the processing;
  3. Consider consultation;
  4. Assess necessity and proportionality;
  5. Identify and assess risks;
  6. Identify measures to mitigate risk;
  7. Sign off and record outcomes;
  8. Integrate outcomes into plan; and
  9. Keep under review.

Internally, organisations should have appropriate technical and organisational measures in place which reflects the risk presented. In relation to technical measures, appropriate internal controls and security measures should be utilised. Organisations may wish to consider a myriad and combination of controls to ensure that health data has the best level of protection, this may include end to end encryption for data both in transit and at rest, role-based access within organisations and the adoption and accreditation of industry recognised security standards such as ISO 27001.

In respect of organisational measures, it may be apt for training and awareness sessions to be implemented with tailored training administered to employees that will doing data processing activities and a robust policy suite in place which covers key circumstances such as data breaches and business continuity.

Data sharing

A specific data processing activity that may be utilised more in the wake of the pandemic is that of data sharing between organisations for information and research purposes. In the England, the soon to be implemented GP Data Sharing Scheme aims to improve and create a new framework for creating a central NHS digital database from GP records and the UK’s Department of Health and Social Care (“DHSC”) has recently published a draft policy paper titled ‘Data saves lives: reshaping health and social care with data’. The policy covers the aspiration of the DHSC to introduce new legislation as part of the Health and Care Bill (currently at Committee stage) to encourage data sharing between private health providers and the NHS and have more guard rails around the sharing of data generally through mandating standards for how data is collected and stored.

With data sharing as evidenced by the above, is something that will be advocated for and welcomed in due course, it is important that organisations have in place the appropriate contractual and practical measures to protect data as data in motion is when it is most vulnerable. Contractual measures include ensuring data sharing and/or transfer agreements are in place which cover all necessary contractual provisions and provide adequate assurances as to the data sharing/transfer arrangements. The NHSX has published a template Data Sharing Agreement which has been labelled as suitable for use by all health and care organisations and includes risk management, legal basis and confidentiality and privacy provisions amongst other things. Practical measures include conducting due diligence checks on all organisations which may be in receipt of data as part of the data sharing process (including third parties) and anonymising/ pseudonymising data. The ICO has put in place a comprehensive data sharing checklist which invites organisations to consider data minimisation, accountability and data subject rights.

The pandemic has changed the world that we knew it in more ways than one and in the context of processing of health data, what seems to be certain is that the processing of health data is on the rise. As such, organisations should continue to monitor guidance and developments in this area and ensure data protection principles are at the core of all data processing activities as a first port of call.

* EDPB guidelines are no longer directly relevant to the UK data protection regime and are not binding under the UK regime.

** A legitimate interest assessment should be considered when relying on legitimate interest as a lawful basis.

Olivia Wint is a seasoned data protection professional, with over five years experience in this area. Olivia has worked in a range of sectors including local authority, third sector, start-ups and the Big 4 advising on all aspects of data protection compliance.