End of privacy rights in the UK public sector?

There has already been serious controversy about the “Henry VIII” powers in the Brexit Bill, which will enable ministers to rewrite laws at their discretion as we leave the EU. Now Theresa May’s government has sneaked a new “Framework for data processing in government” into the Lords committee stage of the new Data Protection Bill (see pages 99-101, which are pp 111–3 of the pdf). It will enable ministers to promulgate a Henry VIII privacy regulation with quite extraordinary properties.

It will cover all data held by any public body including the NHS (175(1)), be outside of the ICO’s jurisdiction (178(5)) and that of any tribunal (178(2)) including Judicial Review (175(4), 176(7)), wider human-rights law (178(2,3,4)), and international jurisdictions – although ministers are supposed to change it if they notice that it breaks any international treaty obligation (177(4)).

In fact it will be changeable on a whim by Ministers (175(4)), have no effective Parliamentary oversight (175(6)), and apply retroactively (178(3)). It will also provide an automatic statutory defence for any data processing in any Government decision taken to any tribunal/court 178(4)).

Ministers have had frequent fights in the past over personal data in the public sector, most frequently over medical records which they have sold, again and again, to drug companies and others in defiance not just of UK law, EU law and human-rights law, but of the express wishes of patients, articulated by opting out of data “sharing”. In fact, we have to thank MedConfidential for being the first to notice the latest data grab. Their briefing gives more details are sets out the amendments we need to press for in Parliament. This is not the only awful thing about the bill by any means; its section 164 will be terrible news for journalists. This is one of those times when you need to write to your MP. Please do it now!

3 thoughts on “End of privacy rights in the UK public sector?

  1. Hi Ross,
    I’d really like to badger my MP about this. She’s quite responsive and I expect will be willing to help.
    I tried to look up the relevant bits in the text so I could understand what I was talking about though, and I hit a problem.
    Either I don’t understand anything about how these things are worded (which is altogether possible) or the references might be off (less likely).
    I was mostly following along fine (ish) until the bit about judicial review. I looked at parts 175(4) and 176(7) and they state:
    “The Secretary of State may from time to time prepare amendments of the
    document or a replacement document.”
    and
    “This section applies in relation to amendments prepared under section 175 as
    it applies in relation to a document prepared under that section.”

    Is it the case that because section 175 doesn’t specifically describe a judicial review process and therefore action can be taken without such? That being the case, that doesn’t preclude review entirely does it?

    Also, I don’t see how 178(3): “A document issued under section 176(3), including an amendment or replacement document, is admissible in evidence in legal proceedings.”, means that these frameworks apply retroactively. Am I giving the drafter too much slack?

    If you were able to provide a breakdown of your reasoning, I’d really appreciate it.
    This sounds like the sort of thing I’d care about, but at present I just don’t understand it clearly enough to articulate my position with any level of authority.

    Cheers,

    Dave

  2. The lack of effective parliamentary oversight comes from the fact that it’s a negative resolution procedure; the regulation is put before parliament and some MP or peer then has to start a debate on it – something that in practice never happens.

    I can’t comment on judicial review, or retrospective effect; I was following MedConfidential on that. I don’t know for sure, as I’m not a lawyer. But the fact that we will be leaving the ECJ (whether in March 2019 or at the end of a transition period) will leave no obvious way to challenge a regulation that infringes human rights. I fear we may see a regulation that overrides previous findings of ECJ such as the I v Finland precedent that the Department of Health finds so annoying as it gives us the right to opt out of secondary uses of our medical records. You can try suing in the Strasbourg court but its findings don’t have direct force here. With luck ministers might heed them and change the regulation, but again they might drag their feet.

    You’ll have noted that after a hospital gave over a million people’s medical records illegally to Google Deepmind, they were reprimanded by the ICO, but Google was not ordered to delete the records. Is this the shape of things to come?

    I’d suggest that you write to your MP about the issues other than judicial review until we get clarity.

  3. Amendments to the “Framework for Data Processing by Government” have been tabled by opposition peers, but not yet debated. They can be seen here:

    http://lordsamendments.parliament.uk/?Session=2017-2019&Id=2158&Stage=Report&Decision=Not-yet-debated&ResultsPerPage=20

    The relevant amendments are numbered (when I looked, at any rate) 175-180. The first amendment, among other things, changes the process to the affirmative resolution procedure.

    There’s also some commentary by MedConfidential here:

    https://medconfidential.org/2017/framework-for-data-processing-by-government/

Leave a Reply to Ross Anderson Cancel reply

Your email address will not be published. Required fields are marked *