An Introduction to the concept of privacy under English Law Parts I, II & III are now available in podcast format! Please see our profile on Anchor here– or the following link: https://anchor.fm/suneet-rajiv-sharma
The processing of special category personal data (including health data e.g. vaccination status, blood type, health conditions etc) was a common topic before the COVID-19 pandemic (the “pandemic”), with various resources published that explored this topic.
For example, the European Data Protection Board (“EDPB”) published an adopted opinion on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation* (“GDPR”) (23January 2019), the Information Commissioner’s Office (“ICO”) posted a blog on why special category personal data needs to be handled even more carefully (14 November 2019) and the ICO published guidance on the lawful basis for processing special category data compliance with the GDPR (November 2019).
The pandemic has brought about a number of data protection considerations, all of which were already in existence but exacerbated by the pandemic (employee monitoring, contact tracing, workforce shift from office to home etc.) One that is more prevalent than ever before is the processing of health data, this piece aims to cover some key data protection themes and practical insights into the processing of health data.
Health data, a subset of special category personal data by its very nature comes with an increased risk profile. When processing this data type, not only are there legislative data protection requirements, the expectation of good clinical governance practices but also regulatory body considerations too.
For example, the NHS Care Quality Commission have in place a code of practice on confidential personal information, the NHS Health Research Authority have in place GDPR guidance specifically for researchers and study coordinators and technical guidance for those responsible for information governance within their organisation and the NHS more generally, has in place it’s Data Security and Protection Toolkit (the “Toolkit”). The Toolkit is an online self-assessment tool that enables organisations to measure and publish their performance against the National Data Guardian’s ten data security standards. The Toolkit covers records management and retention, training and awareness, system vulnerability management and crisis management to name a few.
The above is all on a national level (UK), on an international level, there are data protection laws which specifically cover health data such as HIPAA in the US, the Patient Data Protection Act in Germany, and various provincial health data privacy laws in Canada such as the Health Information Act in Alberta.
Whilst the previous paragraph highlights the complexities of processing health data whether on a national and international level in comparison to other data types, there are a number of mitigations that organisations can put in place to adequately reduce the risks associated with processing this type of data. Mitigations such as Data Protection Impact Assessments (“DPIAs”), updated privacy notices and appropriate security measures amongst other things should all be considered.
Many organisations that never historically processed health data may now do so as a result of the pandemic…
Covering your bases
The first base that must be covered when processing data is ensuring that an appropriate legal basis has been established for each data processing activity, so for example if health data is processed for employee monitoring and research, a legal basis for both of these activities will need to be established. Legal bases can include for the performance of a contract, for legitimate interests** of the organisation and/or in order to perform a legal obligation. Where processing of health data is concerned an additional category under Article 9 of the UK GDPR must be met. In the healthcare context, applicable additional categories may include explicit consent, health or social care purposes, public health purposes and/or archiving research and statistical purposes.
Many organisations that never historically processed health data may now do as a result of the pandemic or alternatively organisations that processed health data pre-pandemic may now be doing so in larger amounts, organisations that fit either side of the coin should also assess the extent to which their privacy notice(s) have been updated and/or need to be updated in order to make data subjects aware any applicable data processing changes and to comply with transparency obligations.
Next, large scale processing of health data may pose a ‘high risk to the rights and freedoms of natural persons’ and in such cases, will trigger the requirement of a DPIA. In order for a DPIA to have value, it is important for organisations to ensure that the DPIA is assessed and considered early on to ensure privacy by design and default is incumbent of any system or processing activity.
A DPIA will assess the likelihood and severity of harm related to the processing activity in question and should the DPIA identify a high risk with no available mitigations, consultation with the ICO will be needed. The ICO has set out a 9-step lifecycle for the DPIA, all of which should be considered before any data processing has taken place:
Internally, organisations should have appropriate technical and organisational measures in place which reflects the risk presented. In relation to technical measures, appropriate internal controls and security measures should be utilised. Organisations may wish to consider a myriad and combination of controls to ensure that health data has the best level of protection, this may include end to end encryption for data both in transit and at rest, role-based access within organisations and the adoption and accreditation of industry recognised security standards such as ISO 27001.
In respect of organisational measures, it may be apt for training and awareness sessions to be implemented with tailored training administered to employees that will doing data processing activities and a robust policy suite in place which covers key circumstances such as data breaches and business continuity.
A specific data processing activity that may be utilised more in the wake of the pandemic is that of data sharing between organisations for information and research purposes. In the England, the soon to be implemented GP Data Sharing Scheme aims to improve and create a new framework for creating a central NHS digital database from GP records and the UK’s Department of Health and Social Care (“DHSC”) has recently published a draft policy paper titled ‘Data saves lives: reshaping health and social care with data’. The policy covers the aspiration of the DHSC to introduce new legislation as part of the Health and Care Bill (currently at Committee stage) to encourage data sharing between private health providers and the NHS and have more guard rails around the sharing of data generally through mandating standards for how data is collected and stored.
With data sharing as evidenced by the above, is something that will be advocated for and welcomed in due course, it is important that organisations have in place the appropriate contractual and practical measures to protect data as data in motion is when it is most vulnerable. Contractual measures include ensuring data sharing and/or transfer agreements are in place which cover all necessary contractual provisions and provide adequate assurances as to the data sharing/transfer arrangements. The NHSX has published a template Data Sharing Agreement which has been labelled as suitable for use by all health and care organisations and includes risk management, legal basis and confidentiality and privacy provisions amongst other things. Practical measures include conducting due diligence checks on all organisations which may be in receipt of data as part of the data sharing process (including third parties) and anonymising/ pseudonymising data. The ICO has put in place a comprehensive data sharing checklist which invites organisations to consider data minimisation, accountability and data subject rights.
The pandemic has changed the world that we knew it in more ways than one and in the context of processing of health data, what seems to be certain is that the processing of health data is on the rise. As such, organisations should continue to monitor guidance and developments in this area and ensure data protection principles are at the core of all data processing activities as a first port of call.
* EDPB guidelines are no longer directly relevant to the UK data protection regime and are not binding under the UK regime.
** A legitimate interest assessment should be considered when relying on legitimate interest as a lawful basis.
Olivia Wint is a seasoned data protection professional, with over five years experience in this area. Olivia has worked in a range of sectors including local authority, third sector, start-ups and the Big 4 advising on all aspects of data protection compliance.
Following the publication of an article in 2019 in the Sun newspaper concerning a family matter before the cricketer was born, Ben Stokes and his mother have achieved a settlement from the Sun newspaper.
Mother of Ben Stokes, Deborah Stokes commented: “The decision to publish this article was a decision to expose, and to profit from exposing, intensely private and painful matters within our family. The suffering caused to our family by the publication of this article is something we cannot forgive.
“Ben and I can take no pleasure in concluding this settlement with the Sun. We can only hope that our actions in holding the paper to account will leave a lasting mark, and one that will contribute to prevent other families from having to suffer the same pain as was inflicted on our family by this article.”
The family were represented by Brabners LLP. Paul Lunt, solicitor to Ben and Deborah Stokes and Head of Litigation, said “The Sun has apologised to Ben and Deborah. The paper has accepted that the article ought never to have seen the light of day. The apology to our clients acknowledges the great distress caused to Ben, Deborah and their family by what was a gross intrusion – and exploitation – of their privacy. Substantial damages have also been paid, as well as payment of legal costs.”
The Sun stated: “On 17 September 2019 we published a story titled ‘Tragedy that Haunts Stokes’ Family’ which described a tragic incident that had occurred to Deborah Stokes, the mother of Ben Stokes, in New Zealand in 1988. The article caused great distress to the Stokes family, and especially to Deborah Stokes. We should not have published the article. We apologise to Deborah and Ben Stokes. We have agreed to pay them damages and their legal costs.”
Mathilde Groppo of law firm Carter Ruck has conducted an insightful analysis of the privacy concerns surrounding the use of vaccine passports as lockdown restrictions ease.
See the full article here.
The Duchess’ request for summary judgment on the parts of the claim concerning privacy were granted by Justice Warby.
In finding that the statement of case had no reasonable grounds for defending the claim Warby J considered whether the defence stated has an defence had the ability to offer a defence to the claim of misuse of private information. Further,
“(i) at the time of its publication, the claimant had a reasonable expectation of privacy in respect of the contents of the Letter, and
(ii) this being the case, and
applying the requisite balancing exercise, the defendant has failed to discharge the burden which rests upon it to advance a viable justification for interfering with that
right.” at p.35
Question (i) – A reasonable expectation of privacy
Justice Warby considered whether the Defence set out and had a reasonable prospect of advancing that the claimant no expectation of privacy in the information at issue. Also whether there was an realistic prospect of success of the defendant defending this at trail. Warby considered the response to be no on both counts.
He strictly applied the criteria found in the Murray case:
“(1) The claimant was a prominent member of the Royal Family, and in that sense a public figure, who had a high public profile, and about whom much had been and continued to be written and published; this is an important feature of the background and the circumstances but
(2) the nature of the “activity” in which she had engaged was not an aspect of her public role or functions; she was communicating to
her father about his behaviour, its impact on her, her feelings about it, and her wishes
for the future; and
(3) she was doing this in a letter sent to him alone, privately, by means of a courier service.
(4) The “intrusion” involved the publication of much if not most of the information in the Letter by way of sensational revelations over four pages of a popular newspaper and online, to a very large readership; and that, in broad terms, was the purpose of the “intrusion”.
(5) There was no consent, and it is beyond dispute that this was known to or could have been inferred by Mr Markle and the defendant.
(6) The unwanted disclosure was likely to cause the claimant at least some distress,
especially as it was done with the co-operation of her father, and in the context of a detailed and critical response by him to the content of the Letter.
(7) The information
was given to the defendant by the claimant’s father.” at p.69
Question (ii) – the balancing exercise
Warby J next turned to the fact of whether the publication could be proportionate in pursuit of
the legitimate aim of protecting the rights of others? Is the interference with freedom
of expression that would be represented by a finding of liability necessary and
proportionate in pursuit of the legitimate aim of protecting the rights of the claimant?
In concluding that it could not significant weight was given to Ms Markle’s status as a public figure. It was considered a theme of the Defendant’s arguements that the Duchess had sought to manipulate her image to be seen favourably. In this case an arguement that publication was preventing the public from being misled- a weighty arguement indeed- failed.
Warby J however considered the case “legally untenable or flimsy at best.” Concluding as two part (ii):
“The claimant had a reasonable expectation that the contents of the Letter would remain
private. The Mail Articles interfered with that reasonable expectation. The only tenable justification for any such interference was to correct some inaccuracies about the Letter contained in the People Article. On an objective review of the Articles in the light of the surrounding circumstances, the inescapable conclusion is that, save to the very limited extent I have identified, the disclosures made were not a necessary or proportionate means of serving that purpose. For the most part they did not serve that purpose at all. Taken as a whole the disclosures were manifestly excessive and hence unlawful. There is no prospect that a different judgment would be reached after a trial. The interference with freedom of expression which those conclusions represent is a necessary and proportionate means of pursuing the legitimate aim of protecting the claimant’s privacy.” at p. 128
The copyright infringement questions were partially disposed off. The remaining copyright issues were left to be considered following the directions given at the next hearing of 2 March 2021.
The Investigatory Powers Tribunal has held that general warrants cannot be used by the intelligence services to bulk surveil in a manner unless the purpose for the warrant is so specific as to be objectively ascertainable.
In the High Court on January 8 judgement was entered for the claimants responding to the question:
“Does section 5 of [the 1994 Intelligence Services Act] permit the issue of a ‘thematic’ computer hacking warrant authorising acts in respect of an entire class of people or an entire class of such acts?”
The Court found it did not.
In citing 250 year of caselaw the Court considered common law principles had well established an aversion to general warrants. They are simply to broad in scope, being able to apply to whoever or whatever the warrant searcher wishes accordingly:
“ It follows that a general warrant gives rise to an unlawful delegation of authority by the legally entrusted decision-maker to the executing official. This unlawful delegation breaches a fundamental right.“at p.30
It was up to the Secretary of State in this instance to decide the legality, proportionality and necessity of the application for a warrant and limit it in scope in so far as was absolutely necessary. Giving such discretion to an executing official in this case would be unlawful.
Further the Court stated plainly that the common law was strongly averse to statutory construction permitting such warrants to be lawful.
It went on to state:
“The aversion to general warrants is one of the basic principles on which the law of the United Kingdom is founded. As such, it may not be overridden by statute unless the wording of the statute makes clear that Parliament intended to do so“at p.48
The Court then went on to provide further guidance as to what could or not be achieved by a warrant:
“ A warrant in respect of “any device used at the Acacia Avenue Internet Café during the period of six months from the date of issue of the warrant” would in our view be sufficiently specific, as would “anyone who appears on the FCDO Ruritanian diplomatic list during the period of six months from the date of the warrant”.”at p.52
As for the impermissible broad brush approach:
The case represents a significant step in providing greater clarity around the restrictions on surveillance tools and the interpretation of legislation in light of the common law concerning general warrants.
A step towards safeguarding privacy, certainly, in the curtailment of investigatory powers in the bulk interception of communications. It also acts as a reinforcement of the checks and balances role of the Secretary of State in approving such tools to be used.
A class action style law suit valued at £2bn has been filed in the High Court against Google, focusing on subsidiary YouTube’s handling of child user data.Continue reading