The ICO’s guidance
on the GDPR contains the helpful reminder that if you don’t have consent ‘you
can rely on alternative legal bases to consent’. However, it doesn’t mention
that those alternatives apply to data protection law only, and not to what the ICO itself calls the ‘legal regime
which… operates in parallel with the DPA’.[1] It is like an
exam paper in two parts that gives instructions on how to answer one part but
not the other. Even worse, the other part is kept out of sight and not
mentioned at all.
The other legal regime is the law of the misuse of private
information (MPI). The GDPR caters for it by ‘providing a margin of manoeuvre
for Member States to specify its rules… including determining more precisely
the conditions under which the processing of personal data is lawful’.[2] MPI started life
as part of the common law of confidentiality (CLC). Personal information CLC still
exists as a separate cause of action but is for the most part subsumed by MPI. CLC
depends on the existence of a relationship of confidence – or trust – ‘between
the person who imparted the information and the person who received it’.[3]
That focus on relationships rather than the information
itself has led to misapprehension. In particular, the common belief that if A
shares information about B with C in confidence, C will owe a duty of confidence
to A in respect of it. If you put yourself in the shoes of B, the person the
information is about, you will see how wrong that is. A might be owed a duty of
confidence as to the fact that she shared the information, but not in respect
of the information itself.
Moreover, what if there is no confidential relationship
whether express or implied (implied, for example, in the relationship between
doctor and patient)? What protects the information then?
The answer was given by Lord Hoffmann as long ago as 2004 in
the case of Naomi Campbell v Mirror Group
Newspapers [2004] UKHL 22. He said (at [46]): ‘[t]here have been two [recent]
developments of the law of confidence… One has been an acknowledgement of the
artificiality of distinguishing between confidential information obtained
through the violation of a confidential relationship, and similar information
obtained in some other way. The second has been the acceptance, under the
influence of… article 8 of the European Convention, of the privacy of personal
information as something worthy of protection in its own right’.
Lord Hoffmann added (at [51]) that the law (MPI) ‘focuses
upon the protection of human autonomy and dignity – the right to control… information
about one’s private life and the right to the esteem and respect of other
people.’ That is a great objective indeed and data protection law by itself
doesn’t always achieve it.
Going back to the doctor and patient, under data protection
law by itself special category data can be processed for medical purposes without
consent. The provision is drafted very generously in the DPA, and even more so
in the GDPR, in favour of data controllers.[4] In some ways that
is a very good thing, but what control does the patient have? What about his or
her autonomy and dignity?
This is where MPI comes in. If an individual can reasonably
expect information about him or her to be kept private,[6]
it can normally only be processed – to use data protection terminology – with
informed consent. The alternatives to consent under MPI are few and apply infrequently.
They are: statute expressly requires or permits the processing; or a court has
ordered it; or it is a proportionate response to a pressing public interest
need (for example, safeguarding).[7] (Hence all the anxiety in the NHS and the Department of
Health about the extent to which informed consent can properly be implied for
the purposes of treatment and care.[8])
In
the case of health and social care processing the GDPR, exceptionally, makes
express provision for the application of member state law – in other words,
specifically applies the room for manoeuvre principle set out in Recital 10
(GDPR, Article 9.3). But it is not
just health information that people can reasonably expect to be kept private under MPI. The
information need not even be ‘special category’ as defined by the GDPR.[9] Financial
personal information springs to mind.
All of this needs careful thought and application, but it
has been ignored by the ICO as well as more widely. The ICO’s failure seems to
stem from its conception of itself. Responding to a consultation paper, it
says, ‘confidential information is generally not something for the ICO to
comment on as the regulator responsible for the DPA. We do however have some
comments about the context that this code will apply in… We are keen to ensure
that the code acknowledges that organisations must take the requirements of the
DPA into account as well as those of confidentiality.’[10]
The ICO does not practise what it preaches. It is blind to
‘the context that [the GDPR] will apply in’ and as a result its guidance is
very misleading. The ICO describes itself as an ‘independent body set up to
uphold information rights’. It should uphold all those rights, or make it very
clear that it upholds some of them only, and say why it is selective.
Bob Miller is a lawyer who works as a consultant in data
protection and privacy law and practice: bob.miller@zen.co.uk
Views on this issue are sought. You may not agree with Bob. Tell us why, either by completing a comment (if an SCL member) or by e-mail to lseastham@aol.com.
It is actually very easy to contribute to the magazine and website. Moreover, writing articles helps to keep your knowledge and learning up to date (and the work involved might well count for CPD purposes). For more, see https://www.scl.org/about/contributing
[1] The
Information Commissioner’s response to the Health and Social Care Information
Centre’s consultation on the draft Code of practice on confidential information,
ICO, 2014
[2] GDPR,
Recital 10
[3] Campbell v MGN at [44]
[4]
Data Protection Act 1998, sch 3, para 8; GDPR, Article
9.2(h)
[5] GDPR,
Article 9.3
[6]
The threshold for MPI. See Naomi Campbell
v MGN [2004] UKHL
22 at [21]
[7] Consultation
Paper 214, Law Commission, paras 3.89-90
[8]
See, for example, Review
of Data Security, Consent and Opt-Outs, National Data Guardian, 2016,
Part 3
[9] GDPR,
Article 9.2
[10]
See footnote 1 above