Tag Archive for Data Protection Act

FOI: this time it’s personal

FOIMan brings you the latest in his series of articles for PDP’s Freedom of Information Journal.

freedom-of-information-graphic-smallOne of the more difficult aspects of dealing with freedom of information (FOI) requests is knowing how to handle personal information. How do you decide whether the information can be disclosed? If you decide not to disclose it, how do you apply the section 40 exemption correctly? What happens if the requester asks for information about themselves?

I’ve previously tackled this in the Exemption Index here on this site, but in my latest piece for PDP’s Freedom of Information Journal, I’ve attempted to bring more clarity to this complex subject aided by the latest case law. The next of my PDP pieces indulges in a little time travel to explore an interesting nugget of FOI history, and you’ll be able to read it here later in the autumn. You can also subscribe to the Journal if you want to read more helpful FOI updates and articles.

Wanting to get data sharing right is not time-wasting

FOIMan is concerned that legitimate questions and concerns about data sharing are too often dismissed by those in a rush to exploit big data. And explains that this is nothing new.

Ambulances at A&E

Ambulances outside A&E

Years ago I worked for a hospital NHS Trust. Soon after I started, I was invited to a meeting with local police, council officers, a representative from the Department of Health and a manager from our own A&E department. The meeting was to discuss sharing A&E data with the police and local council.

This was part of a national programme sponsored by the Home Office. Academic research had found that where police had access to certain A&E data, crime – and particularly violent crime – dropped as they could target hotspots. A&E admissions also dropped. So win-win. The Home Office was obviously very interested in this and was pushing for all hospitals with an A&E department to share data in this way.

I was new to the job, and to data sharing, so I needed to know a few things. One of the key questions any DP Officer worth their salt needs to know in this situation is what legal power they have to share the data. So I asked, and nobody knew (which was interesting in itself, given this was supposedly a national project). They said they’d ask the doctor who’d done the original research to contact me and let me know.

So one afternoon I received a call from him. Initially he was very pleasant but he didn’t actually tell me what I needed to know. When I pushed him on this, his response was to angrily tell me that people were dying because I was delaying the project.

Eventually (and with no thanks to the researcher or the Home Office) I reached agreement with the community team. We would share some of the data they wanted (but not all), and the agreement stated that the police were not allowed to put the data together with their own to enable reidentification of individuals who may have been in contact with both organisations.

There seems to be an attitude from NHS England at the moment that is reminiscent of this episode. Reasonable questions about safeguards are being dismissed. Rational concerns about privacy are portrayed as preventing progress. I’m not someone who is blind to the benefits of care.data or other big data projects. But I want them to be handled properly and to have confidence in those looking after the data.

When concerns like these are dismissed as time-wasting or a failure to understand, it bothers me. And I suspect it bothers lots of other people too, whatever their views on the benefits of the individual project. It feels high-handed, as though the medical establishment doesn’t really care about the views or privacy of the public as long as they get their precious data. I’m sure that isn’t the case, but a continued failure to acknowledge legitimate concerns allows this impression to grow.

Photograph by D-G-Seamon [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Wikimedia Commons

CP and DP

FOIMan finds DP being breached in his own backyard.

Back in 1936, the Crystal Palace, originally built for the Great Exhibition in 1851, and later moved to parkland to the south-east of London, burnt down. It had been in decline for many years, so there was no rush to rebuild it. Indeed, nearly 80 years on, its site still stands bare, save for a few sphinx, crumbling steps and headless statues.

A sphinx in Crystal Palace Park

Plans to rebuild the Crystal Palace have kicked up a sphinx

One of the reasons that it has remained that way is that local residents kind of like it. There is a romantic air about the site, and the lack of a central attraction means that its surrounding parkland is a nice place for a quiet stroll, occasionally interrupted by a dinosaur. It’s our little secret.

So there are a few raised eyebrows in this suburb of south London at Boris Johnson’s excited pronouncement last year that a Chinese investor, Zhong Rong International (Group) Ltd,  wants to rebuild the Crystal Palace. And keen to drum up community support the consultants coordinating the project, Arup, have arranged a series of drop-in sessions where locals can ask questions and complete a questionnaire about their views on what should be built (or indeed whether anything should be built at all).

Mrs FOIMan and I are sceptical about the plans so we decided to pop along to today’s session. The first thing we were asked to do was to add our name, address and email address to a sheet by the door. Mrs F, on the ball as ever, asked why they were collecting the information. The slightly flustered looking lady on the door answered:

“It’s just so we can write to you with updates, that sort of thing.”

Needless to say there was nothing on the sheet to explain this and it wasn’t volunteered. The lady at the door just asked each person who arrived to fill in their details as though it was a requirement of entry.

After we’d chatted to the staff from the Greater London Authority (Boris’s HQ, and my former employer) and Bromley Council we dutifully completed our questionnaires. Before asking about the plans, it asked for some personal information. It explained this time that we didn’t have to give this, but that it would be used to contact us with updates on the plans. Which is fair enough. Except that apparently they needed our gender, ethnicity, and age group to contact us.

Now if you’re trying to reassure a sceptical public of your plans, collecting their details unfairly (ie without telling them what you’re going to do with it) and breaching at least two data protection principles in the process (1 and 3 as you ask) probably isn’t the best way to do it. As more high profile projects have found, this kind of thing can come back to bite you. And it doesn’t exactly smack of a professional, well-run operation.

We completed it anyway (apart from the data that they had failed to justify) and left. On the way out Mrs F turned to me and said “Damn, I wish I’d made a copy of my questionnaire”.

I considered this and replied helpfully:

“Well you could always make a subject access request…or at least you could have done if they’d told us who the data controller was.”


If you want to know how to collect personal information fairly, why not book on my Practical DP course through Act Now Training?


IMG_0337FOIMan despairs of the way the care:data project is being handled.

Care:data has literally kept me awake at night. Six months ago I wrote a piece which referenced care:data as an example of what I perceived to be a knee jerk reaction to any proposal to share personal data. That was a mistake. But that’s only part of the reason for my angst.

I still think that data protection practitioners need to be careful not to be known as “Doctor No”. I do worry that often, through a polarisation of views on these issues, there is a risk that “the baby is thrown out with the bathwater” in projects that involve personal data processing. And I also worry that because of the polarisation that happens, the debate – or argument, as too often it can be categorised – becomes bitter and often personal.

I have been concerned, and remain concerned, that it has been impossible for patients, practitioners and others to get to the bottom of what is happening with care:data. This is not just because of the failings of NHS England, who of course bear the primary responsibility for the problems that have emerged. But I have also felt uneasy about the information coming from opponents of care:data which has been one-sided, often verging on propaganda (for example, posters for GPs to place in their surgeries explaining only why patients should opt out are not really “informing patients” in my view). I also question whether activity that verges on trolling of NHS representatives on Twitter and elsewhere is the best way to make the case for privacy. These activities have alienated me, and perhaps many others who might have been persuaded by a more balanced approach (though I was pleasantly surprised to find that Phil Booth of MedConfidential and Nick Pickles of Big Brother Watch came over as measured during today’s committee hearing, and didn’t respond to the bait laid by some MPs asking them if they were insisting that care:data be made “opt-in” only).

But the truth is that just from watching this afternoon’s Health Select Committee session on care:data, it is clear to see that there are major problems with the project. They go way beyond communication – though that has been lamentable (no, I didn’t get the leaflet either). The witnesses from NHS England and the Health and Social Care Information Centre in particular were very poor. It was not unexpected that the MPs would want to ask about the disclosure to the Actuaries society reported in the Telegraph. So why wasn’t Max Jones of HSCIC better briefed beforehand? It is simply incredible to claim not to have any information on it because it happened when the organisation was in a previous form. There was time to establish the facts before the hearing. Tim Kelsey and Daniel Poulter appear to be in denial about problems, and despite promising to listen seem to have wax in their ears. “I don’t trust the performances I’ve seen here today” said one MP and I’m with her on that.

Agonising is the appropriate word to describe my attempts to make sense of care:data, so God help patients who haven’t been reading about it. Today’s committee wouldn’t have helped, with both MPs and witnesses appearing confused. Even the Information Commissioner’s Office has given conflicting statements on the project (within 48 hours they went from being satisfied with the communication of the project to dissatisfied, somewhat incredibly). My gut instinct is that I want my data to be used for medical research for the reasons articulated by Ben Goldacre in his brilliant article for The Guardian at the weekend. But unless NHS England, HSCIC and the Department of Health get their acts together, even I’ll be wanting to opt out. And that’s if it doesn’t get axed, which based on today’s performance is increasingly likely. It could well lead to this baby being pitched right out on its ear.

Seriously, I just want to hear both sides

FOI Man wants a balanced and calm debate on sharing of personal data. Is that really too much to ask?

At the end of last week I posed two questions. Firstly, are we assuming the worst of any proposal to share data? And secondly, if this is the case, is it damaging to society?

I was aiming to start a debate, and to an extent I was successful. It generated a lot of heat, but for me at least, not much light.

Let me just reiterate what I was not saying. I wasn’t saying that it should be easier for organisations to share data. I wasn’t saying that the Data Protection Act or confidentiality law should be weakened. I wasn’t saying – necessarily – that I agree with any of the examples I gave, including the care:data programme (the plan that will allow a central NHS body to extract data about patients from GPs’ patient records, and then share that data with other approved bodies). My mind is open on this, which is why I wanted the debate – I wanted to be persuaded one way or the other.

The problem I have is that whilst there are lots of blog posts and newspaper articles telling us to opt out of care:data and describing the risks in emotive terms, I’ve seen very little explaining why, therefore, it is being done. Presumably if NHS England are pressing ahead with this, somebody is giving them alternative advice. Somebody thinks this sharing is legitimate. But I can’t find anything about this. I get told to opt out or my data will be sold to companies (though NHS England deny this, so what am I to believe?), and if I want to know more, I’m given a link to Mail Online (which obviously has a reputation for balanced reporting of these matters). Interestingly, none of these articles or posts appear to link to the relevant website provided by the Health & Social Care Information Centre. They all point to other articles which subscribe to the same view.

This is exactly what I was referring to in my last post – the debate about sharing of personal data is marked by hyperbole and polarised opinions. That’s not how I want to make my mind up about important issues.

A lot of the fault – probably most of the fault – for this lies with NHS England, who could, as has been pointed out, have communicated the aims and implications of this project far better. But a lot is down to the tone of the debate. Just raising the possibility that there is another side to the argument attracted pretty strong criticism.

I have friends outside the information rights profession (if there is such a thing) who don’t understand why there is such opposition to this proposal. Scientists in particular who can see the potential for life saving discoveries through analysis of data. To them this looks like scaremongering. These are not stupid people. They can be persuaded by reason and evidence. They’re not going to be persuaded by just telling them there are risks. They, like me, want to know all the arguments for and against, see the evidence, and then reach a reasoned decision.

At the start of next month I hope to attend a meeting of the National Association of Data Protection (and FOI) Officers. One of the speakers is a representative of MedConfidential who have been vocal in opposing care:data. I’ll be interested to hear what they have to say, but I’d really like to hear someone from NHS England or the Health & Social Care Information Centre give the other side before deciding whether to opt out and encourage others to do the same.