140 likes | 333 Vues
When Worlds Collide: Freedom of Information and the Protection of Health Data Dr Renate Gertz AHRC Research Centre School of Law, University of Edinburgh. The legislation . 11 January 2005: Freedom of Information legislation England + Scotland Purpose:
E N D
When Worlds Collide: Freedom of Information and the Protection of Health Data Dr Renate Gertz AHRC Research Centre School of Law, University of Edinburgh Edinburgh eHealth Research Network 29.11.06
The legislation • 11 January 2005: Freedom of Information legislation England + Scotland • Purpose: • General right of access to information held by or on behalf of public authorities • Promoting culture of openness and accountability across public sector Edinburgh eHealth Research Network 29.11.06
cont. • 2000: Data Protection Act 1998 came into force • Purpose: • Protects ‘personal data’ against unlawful disclosure to third parties • Promotes a spirit of confidentiality. Edinburgh eHealth Research Network 29.11.06
Exemptions to FOI • Reasons for withholding information → exemptions from the right to know. • Absolute exemptions: will always prohibit disclosure • Qualified exemptions: public interest test - public interest in maintaining the exemption must outweigh public interest in disclosure. Edinburgh eHealth Research Network 29.11.06
Absolute exemption • Personal data - FOI refers to Data Protection Act for definition • S. 1- personal data: “data which relate to a living individual who can be identified- (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller. “ • S. 2 – sensitive personal data: “personal data consisting of information as to …(e) his physical or mental health or condition ...” Edinburgh eHealth Research Network 29.11.06
cont. • The result: • Two diametrically opposed pieces of legislation – spirit of openness v. spirit of confidentiality • The problem: • To find a sensible way of agreeing on a feasible compromise Edinburgh eHealth Research Network 29.11.06
The first health data case • Common Services Agency (ISD) v Collie • Information on childhood leukaemia cases (0-14 years) in Dumfries and Galloway by census ward • Grounds for refusal: combination of rare diagnosis, specified age group, small area, low numbers = identifiability = personal data • SIC: personal data, but ‘barnardised’ version to be provided • ISD: appeal to the courts – hearings took place two weeks ago! Decision expected soon Edinburgh eHealth Research Network 29.11.06
Implications of Collie • ‘pure’ FOI issues: • powers of the SIC • Data Protection – FOI interface issues: • What are personal data Edinburgh eHealth Research Network 29.11.06
FOI Issues • S.1 (4) “The information…is the information held at the time the request is received“ • SIC: data to be barnardised – still data ‘held’? • What power does the SIC have? • Power to order authority to release data it does not hold? • Power to instruct authority to ‘do something’ to data so it can be released? – s. 15(1) ”A Scottish public authority must, so far as it is reasonable to expect it to do so, provide advice and assistance to a person who proposes to make, or has made, a request for information to it.” • → Power to order ‘barnardisation’? Edinburgh eHealth Research Network 29.11.06
Implications beyond Collie • S 15 – to provide “advice and assistance” • How far does this go? • What about data not held in a form that can be handed over to applicant? • Duty to analyse data and arrange into table? • Data integration: consequences? Edinburgh eHealth Research Network 29.11.06
Preventing identifiability • Most commonly recognised: anonymisation • Problem legally acceptable level of anonymisation: Is ‘barnardisation’ sufficient? • Problem ‘connectivity’ • Spirit of DP would prohibit disclosure • Spirit of FOI promotes disclosure • Tension at interface between regimes: Solution “to substantially remove risk of identification”? Again: What is acceptable? • Problem definition Edinburgh eHealth Research Network 29.11.06
Defining personal data • Durant case precedent= “focus on an individual or be of biographical significance for the individual concerned” • October 2005: European Commission: UK before ECJ if personal data definition remains too narrow, not in line with the Directive! • FOIA refers to DPA: will Durant continue to provide yardstick for both Acts? → Ruling against UK will affect both England and Scotland. Edinburgh eHealth Research Network 29.11.06
cont. • Practical difficulty: England, Information Commissioner = both DP + FOI: new policies applied by one office • SIC = only FOI, not DP as DP = national matter. • So: Will SIC obtain policy on personal data from England before being able to apply it to Scottish FOI appeals, because: unacceptable if differing interpretations of ‘personal data’ were to emerge. Edinburgh eHealth Research Network 29.11.06
Data protection principles • 2 new cases requesting surgeon mortality rates • Required: breach of DP principle = fair processing • SIC: personal data relating to professional, not personal lives! • Problem: DPA and FOIA – guidance on ‘fairness principle’ differs • Applying DPA guidance to FOI – unproblematic • Applying FOI guidance to DPA: direction of referral – DPA does not refer to FOIA!! New legislation trumps old, but what about guidances? Edinburgh eHealth Research Network 29.11.06