Healthcare data and data protection in the time of coronavirus – Olivia Wint

The processing of special category personal data (including health data e.g. vaccination status, blood type, health conditions etc) was a common topic before the COVID-19 pandemic (the “pandemic”), with various resources published that explored this topic.

For example, the European Data Protection Board (“EDPB”) published an adopted opinion on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation* (“GDPR”) (23January 2019), the Information Commissioner’s Office (“ICO”) posted a blog on why special category personal data needs to be handled even more carefully (14 November 2019) and the ICO published guidance on the lawful basis for processing special category data compliance with the GDPR (November 2019).

The pandemic has brought about a number of data protection considerations, all of which were already in existence but exacerbated by the pandemic (employee monitoring, contact tracing, workforce shift from office to home etc.) One that is more prevalent than ever before is the processing of health data, this piece aims to cover some key data protection themes and practical insights into the processing of health data.  

Health data, a subset of special category personal data by its very nature comes with an increased risk profile.  When processing this data type, not only are there legislative data protection requirements, the expectation of good clinical governance practices but also regulatory body considerations too.                                                           

For example, the NHS Care Quality Commission have in place a code of practice on confidential personal information, the NHS Health Research Authority have in place GDPR guidance specifically for researchers and study coordinators and technical guidance for those responsible for information governance within their organisation and the NHS more generally, has in place it’s Data Security and Protection Toolkit (the “Toolkit”). The Toolkit is an online self-assessment tool that enables organisations to measure and publish their performance against the National Data Guardian’s ten data security standards. The Toolkit covers records management and retention, training and awareness, system vulnerability management and crisis management to name a few.                                                                  

The above is all on a national level (UK), on an international level, there are data protection laws which specifically cover health data such as HIPAA in the US, the Patient Data Protection Act in Germany, and various provincial health data privacy laws in Canada such as the Health Information Act in Alberta.

Whilst the previous paragraph highlights the complexities of processing health data whether on a national and international level in comparison to other data types, there are a number of mitigations that organisations can put in place to adequately reduce the risks associated with processing this type of data. Mitigations such as Data Protection Impact Assessments (“DPIAs”), updated privacy notices and appropriate security measures amongst other things should all be considered.

Many organisations that never historically processed health data may now do so as a result of the pandemic…

Covering your bases

The first base that must be covered when processing data is ensuring that an appropriate legal basis has been established for each data processing activity, so for example if health data is processed for employee monitoring and research, a legal basis for both of these activities will need to be established. Legal bases can include for the performance of a contract, for legitimate interests** of the organisation and/or in order to perform a legal obligation.  Where processing of health data is concerned an additional category under Article 9 of the UK GDPR must be met. In the healthcare context, applicable additional categories may include explicit consent, health or social care purposes, public health purposes and/or archiving research and statistical purposes. 

Many organisations that never historically processed health data may now do as a result of the pandemic or alternatively organisations that processed health data pre-pandemic may now be doing so in larger amounts, organisations that fit either side of the coin should also assess the extent to which their privacy notice(s) have been updated and/or need to be updated in order to make data subjects aware any applicable data processing changes and to comply with transparency obligations.

Next, large scale processing of health data may pose a ‘high risk to the rights and freedoms of natural persons’ and in such cases, will trigger the requirement of a DPIA. In order for a DPIA to have value, it is important for organisations to ensure that the DPIA is assessed and considered early on to ensure privacy by design and default is incumbent of any system or processing activity.

A DPIA will assess the likelihood and severity of harm related to the processing activity in question and should the DPIA identify a high risk with no available mitigations, consultation with the ICO will be needed. The ICO has set out a 9-step lifecycle for the DPIA, all of which should be considered before any data processing has taken place:

  1. Identify a need for a DPIA;
  2. Describe the processing;
  3. Consider consultation;
  4. Assess necessity and proportionality;
  5. Identify and assess risks;
  6. Identify measures to mitigate risk;
  7. Sign off and record outcomes;
  8. Integrate outcomes into plan; and
  9. Keep under review.

Internally, organisations should have appropriate technical and organisational measures in place which reflects the risk presented. In relation to technical measures, appropriate internal controls and security measures should be utilised. Organisations may wish to consider a myriad and combination of controls to ensure that health data has the best level of protection, this may include end to end encryption for data both in transit and at rest, role-based access within organisations and the adoption and accreditation of industry recognised security standards such as ISO 27001.

In respect of organisational measures, it may be apt for training and awareness sessions to be implemented with tailored training administered to employees that will doing data processing activities and a robust policy suite in place which covers key circumstances such as data breaches and business continuity.

Data sharing

A specific data processing activity that may be utilised more in the wake of the pandemic is that of data sharing between organisations for information and research purposes. In the England, the soon to be implemented GP Data Sharing Scheme aims to improve and create a new framework for creating a central NHS digital database from GP records and the UK’s Department of Health and Social Care (“DHSC”) has recently published a draft policy paper titled ‘Data saves lives: reshaping health and social care with data’. The policy covers the aspiration of the DHSC to introduce new legislation as part of the Health and Care Bill (currently at Committee stage) to encourage data sharing between private health providers and the NHS and have more guard rails around the sharing of data generally through mandating standards for how data is collected and stored.

With data sharing as evidenced by the above, is something that will be advocated for and welcomed in due course, it is important that organisations have in place the appropriate contractual and practical measures to protect data as data in motion is when it is most vulnerable. Contractual measures include ensuring data sharing and/or transfer agreements are in place which cover all necessary contractual provisions and provide adequate assurances as to the data sharing/transfer arrangements. The NHSX has published a template Data Sharing Agreement which has been labelled as suitable for use by all health and care organisations and includes risk management, legal basis and confidentiality and privacy provisions amongst other things. Practical measures include conducting due diligence checks on all organisations which may be in receipt of data as part of the data sharing process (including third parties) and anonymising/ pseudonymising data. The ICO has put in place a comprehensive data sharing checklist which invites organisations to consider data minimisation, accountability and data subject rights.

The pandemic has changed the world that we knew it in more ways than one and in the context of processing of health data, what seems to be certain is that the processing of health data is on the rise. As such, organisations should continue to monitor guidance and developments in this area and ensure data protection principles are at the core of all data processing activities as a first port of call.

* EDPB guidelines are no longer directly relevant to the UK data protection regime and are not binding under the UK regime.

** A legitimate interest assessment should be considered when relying on legitimate interest as a lawful basis.

Olivia Wint is a seasoned data protection professional, with over five years experience in this area. Olivia has worked in a range of sectors including local authority, third sector, start-ups and the Big 4 advising on all aspects of data protection compliance.

Big Brother Watch publishes The State of Free Speech Online Report

Government surveillance interest group Big Brother Watch has released an insightful Report entitled: The State of Free Speech Online.

The Report looks at crucial provisions of the English Government’s proposed Online Safety Bill, critiquing its impact on freedom of speech.

The Report in particular focuses on social media platforms and the impact of the Bills provisions on their ability to facilitate free speech.

TPP supports free speech unequivocally, recognising that in a democratic society both rights of free speech and the protection of ones private life must be carefully balanced and safeguarded.

The recent move of Facebook in removing the publication of third parties Australian news from its site in protest to the provisions of the proposed News Media Bargaining Code, in doing so lobbying the Australian government, serves to highlight the unequal bargaining position of online platforms and their extensive influence.  

Furthermore, Twitter permanently suspending then US President Donald Trump highlighted the ability of a platform to  operate at the highest levels as arbiters of free speech.

It serves to bring into sharp relief the need for proper safeguards and guidelines of, as the Report states, private companies who “wield power… comparable to that of governments”.

As arbiters of free speech companies such as Facebook, Instagram, YouTube and Twitter hold substantive sway over millions of conversations where the rights of free speech and those of privacy intersect. This Report is a welcome examination of the coming reforms in the Online Safety Bill through a lens of safeguarding free speech.

It argues that enforcement of free speech rights have been “questionable, inconsistent and problematic” across the platforms. It goes on to opine that such platforms need to mirror the rule of law and reflect human rights principles.

As English law moves to take the next step in regulating the activities of those online via the Online Safety Bill TPP with be reporting focusing on both sides of the free speech and privacy debate.

Cricketer Ben Stokes and mother Deborah Stokes achieve settlement in privacy case against the Sun newspaper, securing rare unreserved apology

Following the publication of an article in 2019 in the Sun newspaper concerning a family matter before the cricketer was born, Ben Stokes and his mother have achieved a settlement from the Sun newspaper.

Mother of Ben Stokes, Deborah Stokes commented: “The decision to publish this article was a decision to expose, and to profit from exposing, intensely private and painful matters within our family. The suffering caused to our family by the publication of this article is something we cannot forgive.

“Ben and I can take no pleasure in concluding this settlement with the Sun. We can only hope that our actions in holding the paper to account will leave a lasting mark, and one that will contribute to prevent other families from having to suffer the same pain as was inflicted on our family by this article.”

The family were represented by Brabners LLP. Paul Lunt, solicitor to Ben and Deborah Stokes and Head of Litigation, said “The Sun has apologised to Ben and Deborah. The paper has accepted that the article ought never to have seen the light of day. The apology to our clients acknowledges the great distress caused to Ben, Deborah and their family by what was a gross intrusion – and exploitation – of their privacy. Substantial damages have also been paid, as well as payment of legal costs.”

See the Brabners LLP press release here.

The Sun stated: “On 17 September 2019 we published a story titled ‘Tragedy that Haunts Stokes’ Family’ which described a tragic incident that had occurred to Deborah Stokes, the mother of Ben Stokes, in New Zealand in 1988. The article caused great distress to the Stokes family, and especially to Deborah Stokes. We should not have published the article. We apologise to Deborah and Ben Stokes. We have agreed to pay them damages and their legal costs.”

Coverage of the settlement can be found in the Guardian, Press Gazette and BBC Sport, amongst others.

An Introduction to English laws tackling revenge pornography – Colette Allen

As the UK moved online in response to the COVID-19 pandemic, reports of image-based abuse – ‘revenge porn’ – doubled. One reason for the increase is that the national lockdown pushed dating lives online, and the sharing of sexual images became one of the few ways to show intimacy. Disclosing, or threatening to disclose, intimate images has a massive psychological toll on victims, and is therefore an effective means of exerting control. Financial pressure, a surge in domestic violence, and relationship breakdowns have contributed to the rise of reported cases.

Too often, the victim is blamed when their image ends up online. This response disregards the victim’s right to privacy and denies them of their sexuality. Most would agree that a person’s consent to have sex with another does not amount to consent to sleep with all of his/her friends – but that is the very logic of those who say individuals ‘should have been more careful’ when their image is disclosed.

If you are a victim of revenge porn, the law can help you regain control and achieve justice.

The uploading of sexual or intimate images online, without the consent of the individual pictured, and with the intention to cause the victim humiliation or embarrassment, is a criminal offence in England and Wales.

The relevant law differs depending on whether or not the victim is over 18 years of age.

Section 33 of the Criminal Justice and Courts Act 2015 (‘CJCA 2015′) applies to adult victims and establishes a maximum sentence of 2 years’ imprisonment following conviction.

For s.33 CJCA 2015 to apply, the image(s) must be private and sexual. Certain parts of the body, like exposed genitals or pubic area, are considered inherently private for the purposes of the offence. Posing in a sexually provocative way will be regarded as private if the image depicts something that would not ordinarily be seen in public.

The victim must show that the reason, or one of the reasons, that their intimate image was shared without their consent was to cause the victim distress (the ‘distress element’). Without proving this, a victim will not be able to secure a conviction against the defendant. The distress element is a distinct part of the trial that will require its own evidence. It is not enough that distress is or would be a natural consequence of the disclosure.

Doctored and computer-generated images, also known as ‘deep fakes’, are not covered by the CJCA 2015. A victim who has had an innocent image transposed onto a pornographic photograph or film does not, unfortunately, have any specific law to draw on. Victims in this scenario should, however, discuss with their solicitor the possibility of securing a conviction under section 1 of the Malicious Communications Act 1988 and/or section 127 of the Communications Act 2003. Victims pursuing this route will still have to find evidence for the distress element in order to secure a conviction, as both s.1 and s.127 require that the message be sent to cause distress or anxiety, or be of a menacing character, respectively.

It is not guaranteed that a victim of revenge porn will be able to secure legal aid funding, but this is something you should ask your solicitor.

If you are a victim of revenge porn, the law can help you regain control and achieve justice.

Defences

It is a complete defense if the defendant reasonably believed that the disclosure was necessary for the investigation, prevention or detection of crime (s.33(3) CJCA 2015), or if the image is disclosed by a journalist who reasonably believes that publication is in the public interest (s.33(4)). A journalist relying on the s.33(4) defense will have to show that there was a legitimate need to publish the photograph or film that goes to the value of a story on an important matter. ‘Public interest’ in this context is not simply something with which the journalist believes the public will be interested.

It is a defense if the defendant believed that the image(s) had previously been made public for financial purposes, i.e. commercial pornography (s.33(5) CJCA 2015). However, a defendant will not be able to rely on s.33(5) if they had reason to believe that the victim had not consented to prior release.

Anyone who forwards on the image(s) without the victim’s consent is only guilty of a s.33 offence if they do so with the intention to cause the victim distress. Re-sending the image(s) as a joke or for sexual gratification will not amount to an offence merely because distress was a natural consequence of their actions (s.33(8)).

Children 

Possessing, taking, distributing or publishing sexual images of individuals under the age of 18 are offences under section 1 of the Protection of Children Act 1978 and section 160 of the Criminal Justice Act 1988. If you are under the age of 18 and your image has appeared online, the process is much simpler than if you were an adult. There is no need to show a distress element on behalf of the defendant.

Parents who have been made aware that their children have shared or have been sent sexual images should be aware that Crown Prosecution Service Guidelines on revenge pornography makes clear that consensual ‘sexting’ between minors of a similar age is not to be treated as an offence. Where there is evidence of grooming, harassment or exploitation then it will be treated as a criminal matter.

Websites

The CJCA 2015 makes it possible for the website operator who hosts the site on which an intimate image was illegally shared to be liable, but only when the operator has actively participated in the disclosure, or failed to remove the material once they have been made aware that it is criminal in nature. In reality, most social media sites will be compliant in removing such material on request.

If any of the matters discussed in this article affect you, visit https://revengepornhelpline.org.uk


Colette Allen has hosted “Newscast’” on The Media Law Podcast with Dr Thomas Bennett and Professor Paul Wragg since 2018. She has recently finished the BTC at The Inns of Court College of Advocacy and will be starting a MSc in the Social Sciences of the Internet at the University of Oxford in October 2021.

Mail on Sunday settle with Duke of Sussex, Prince Harry, over allegations regarding “distancing” from the British Armed Forces

A unilateral statement open court was presented before Justice Nicklin in the case bought by the Duke of Sussex against the Mail on Sunday.

The settlement concerns an article published on 25 October 2020 that alleged that the Prince had distanced himself from the British Army and the Royal Marines in particular ignoring correspondence from Lord Dannatt, a former Chief of the General Staff.

The Mail on Sunday and the MailOnline admitted the falisity of the statements.

The Statement recounted the Duke’s continuing efforts to engage with the British Armed Forces including the Royal Marines.

It highlighted that the article has remained published for 33 days, all the while disparaging the Duke’s relationship with the British Armed Forces.

A settlement offer was made to the Duke on 3rd December 2020 and accepted on 21st October 2020. Am apology to be placed in the Corrections and Clarifications columns was agreed.

As is typical with these statements attention was drawn to the fact that the intention was to settle the case and prevent further costly litigation. It was stated that the damage caused by the article in relation to these reparations was disproportionate.

The correction was published in the Mail on Sunday an area of the paper far smaller than the original article and in a right hand page which garners significantly more attention. There was no heading to the apology.

The MailOnline published a similar correction and clarification the garnered 9 shares compared to the 1,000 shares and 3,000 reader comments on the original article. The apology was also only published on the MailOline app for a period of 24 hours despite 64% of the readership having used the app to read articles, meaning a significantly less number of readers would have read the apology.

Importantly both Defendants were alleged to have used wording which significantly underplayed the seriousness of the complaint. Further they failed to acknowledge the statements were false meaning the Duke had to resort to a Statement in Open Court.

The Defendant had offered to donate the proceeds of the settlement to the Invictus Games Foundation. However, the apology did not state the Duke has decided to donate the settlement monies to the Invictus Games Foundation after receiving them himself so he could feel that some good had come of the case.

See coverage of the settlement on:

Inforrm

Sky

Independent

BBC

Parts of Meghan Markle’s claim against Associated Newspapers struck out following preliminary hearing

On 1 May 2020 Mr Justice Warby handed down judgment concerning a pre-trial application by Associated Newspapers in its ongoing defence of claims of misuse of private information, copyright infringement, and breach of data protection rights by Meghan Markle, HRH The Duchess of Sussex.

Continue reading