Healthcare Features

Details

Written by: Sean Clement

Category: Healthcare Features

Published: 07 July 2011

Hits: 1264

• localgov

Is Local Government being disproportionately targeted by the Information Commissioner? Jonathan Baines looks at the evidence.

On 1 July 2011 the Information Commissioner (IC), Christopher Graham, issued a strongly-worded press release, which announced the publication of five undertakings he had required NHS Trusts to sign, following serious breaches of the Data Protection Act 1998 (DPA). In an interview in The Independent the same day there was even more tough-talking about NHS data breaches: “There’s just too much of this stuff going on. The senior management is aware of the challenge but the breaches continue. Whether it’s a systemic problem in the NHS or an epidemic we have got to do something about it.”

In one obvious way, there is something that can be done about it. Section 55A-E of the DPA (as amended by the Criminal Justice and Immigration Act 2008) came into force in April 2010, and gave the IC the powers to impose Monetary Penalty Notices (MPNs), to a maximum of £500,000, on organisations committing serious breaches of the DPA. He will only exercise this power where the breach is of a kind “likely to cause substantial damage or substantial distress” and where it was deliberate or, effectively, reckless. Since he acquired the powers, he has issued six MPNs, to a total sum of £431,000, and the maximum being £120,000.

It is noteworthy that none of these six MPNs has been imposed on an NHS body (nor, indeed, central government  nor the police). And only two, totalling £61,000, have been imposed on private companies. Four of the six, however, totalling £370,000, have been imposed on local authorities. A recent Freedom of Information request revealed that since November 2007 1674 instances of serious breaches of the DPA had been self-reported to the IC’s office. Of these, only 302 were from local authorities. By contrast 473 were from NHS bodies, and 502 from the private sector. These four-year figures are broadly reflected in figures in the annual report released on 6 July by the IC, which, for the past year, show 146 local authority breaches, compared to 165 by the NHS (with 186 by the private sector).

So are local authorities being disproportionately targeted by the IC when it comes to the imposing of MPNs? The IC would no doubt state that each breach will be considered on its facts, and he will have close regard to the nature and volume of the data involved (the more sensitive and voluminous the data, the worse the breach) as well as to any remedial steps the authority has taken and to its financial resources. Local authorities, by their nature, handle large amounts of particularly sensitive data, but so do most, if not all, NHS bodies and it would be surprising if one arm of the public sector was  very much better at keeping personal data secure than another. Indeed, when one compares those recent NHS breaches which haven’t attracted MPNs, with the others which have, one notices some obvious similarities (wrongly-directed faxes being a common mistake).

One should sound a note of caution however: without close analysis of the facts of each breach considered by the IC it is not possible fully to equate one breach with another.

Nonetheless, one wonders what sort of critical media coverage might ensue, as well as what the effect on the reputation of the DPA regime would be, if the IC were to impose hefty monetary penalties on the NHS. And as the sums levied go not towards improving general data security, but rather straight into the government consolidated fund, one begins to see why it might not be a particularly attractive option:  a regulator who takes direly-needed money from the NHS, and places it in the government’s wallet, could well struggle to maintain popularity with the media and the public.

Christopher Graham does not have any easy task when he hands out MPNs. When (or if) he imposes one on the NHS he will no doubt cause controversy, but he might also reassure local government that it is not being disproportionately targeted when it comes to DPA enforcement.

Jonathan Baines works in Local Government. His blog, Information Rights and Wrongs, can be read here.

See also: Serious data breaches double in two years, ICO report reveals

Details

Written by: Sean Clement

Category: Healthcare Features

Published: 07 July 2011

Hits: 1387

• localgov

The Steven Neary case in the High Court is a very significant ruling for local authorities and Primary Care Trusts dealing with the Deprivation of Liberty Safeguards. Simon Lindsay looks at the judgment.

The case of Steven Neary is interesting, not just because it has attracted a great deal of press attention, but in particular because of the analysis and comments on the responsibilities of supervisory authorities (PCTs and local authorities) when dealing with the Deprivation of Liberty Safeguards.

The background and decision

Steven Neary was moved to a care home in Hillingdon, in spite of the objections of his father, in January 2010. For a variety of reasons the Court found that Steven was deprived of his liberty unlawfully and was deprived of his right to family life and privacy for the best part of a year. The responsible authority in this case, the London Borough of Hillingdon, also failed to apply to the Court of Protection early enough to obtain a proper legal framework which would have legitimised the circumstances in which Steven was being kept. The judge made it clear that Hillingdon LBC failed to ensure that proper steps were taken to safeguard Steven’s fundamental human rights.

Discussion

At one level, this case underlines the importance of ensuring that vulnerable, incapable individuals who are potentially or actually deprived of their liberty should receive proactive attention from the relevant authorities. Within the framework for obtaining an Authorisation for Deprivation of Liberty provided by the Mental Capacity Act, a PCT or a local authority should not simply rely on the resources or tenacity of such an individual or his family.

One of the criticisms raised by the judge in this case was: “[Hillingdon] acted as if it had the right to make decisions about Steven, and by a combination of turning a deaf ear and force majeure, it tried to wear down Mr Neary’s resistance, stretching its relationship with him almost to breaking point. It relied on him coming to see things its way, even though, as events have proved, he was right and it was wrong. In the meantime it failed to activate the statutory safeguards that exist to prevent situations like this arising.”

To require the statutory authorities to engage with the family in a meaningful sense would probably be no surprise to anyone. This case shows that a supervisory body or a state organisation responsible for caring for an individual who may be deprived of his liberty, ignores that person’s family at its peril.

Of similar importance is the clarification of the role of the supervisory body in relation to applications for Authorisations under the Deprivation of Liberty Safeguards Procedure. Those safeguards must be obtained in accordance with the procedure set out in Schedule A1 to the Mental Capacity Act. The procedure is complex and requires six assessments to be undertaken. Paragraph 50 of the Schedule provides that a supervisory body must give a standard authorisation if all the assessments are positive.

On the face of it, this suggests that the supervisory body has a passive role, akin to rubber stamping the findings of the assessors. The judge in the Neary case clarified that this is not so. He said that: “The suggestion that the supervisory body is bound to act on any assessment that is not grossly and obviously defective sets the standard too low. It supposes an essentially passive supervisory body. This would not meet the objectives of the Act and would not provide effective protection against breaches of Article 5”.

The obligation of a PCT which receives an assessment which it knows, or ought to know, is inadequate is firstly not to follow the recommendation made. Secondly it should take all necessary steps to remedy the inadequacy. If necessary this should include bringing the deprivation of liberty to an end by conducting a review or applying to Court.

This brings the role of the supervisory body closer to that of Mental Health Act Managers. One of the criticisms of the Deprivation of Liberty Safeguards procedure was that it was all procedure and no safeguards. This case has gone some way to addressing that criticism, but the procedure is still a long way from the detailed provisions set out in the Mental Health Act. PCTs will need to review their practices in dealing with applications for Authorisations, including separating functions within their organisations and ensuring that where papers are received they are proactively considered.

Practice issues for those working in the field

In his judgment  in paragraph 33, Mr Justice Peter Jackson identified three practice points for those working in the field:

• "The purpose of DOL authorisations and of the Court of Protection: Significant welfare issues that cannot be resolved by discussion should be placed before the Court of Protection, where decisions can be taken as a matter of urgency where necessary."
• "Decision-making.: Where a local authority wears a number of hats, it should be clear about who is responsible for its direction."
• "The responsiblities of the supervisory body: The responsibilities of a supervisory body, require it to scrutinise the assessment it receives with independence and a degree of care that is appropriate to the seriousness of the decision and to the circumstances of the individual case that are or should be known to it."

In addition Mr Justice Peter Jackson found that there was a breach of Steven's rights under Article 5(4) because:

• an IMCA should have been appointed in April 2010. LB Hillingdon should have persisted in obtaining one for Steven Neary;
• there was no effective review;
• the local authority had an obligation "to ensure that a person deprived of liberty is not only entitled but enabled to have the lawfulness of his detention reviewed speedily by a court."

Simon Lindsay is a partner at Bevan Brittan. He can be contacted on This email address is being protected from spambots. You need JavaScript enabled to view it..

See also: Council unlawfully kept 21-year-old man in care for a year, says High Court judge

Details

Written by: Sean Clement

Category: Healthcare Features

Published: 06 July 2011

Hits: 972

• localgov

The number of serious data protection breaches reported to the Information Commissioner’s Office has almost doubled in just two years, the watchdog’s annual report has revealed.

There were 603 reports of serious data breaches in 2010/11, compared to 464 in 2009/10 and 319 in 2008/09.

With 146 reports, local government was responsible for almost a quarter (24%) of the data breaches referred to the ICO in the last year. However, both the private sector and the NHS were responsible for more incidents. The private sector accounted for 186 reports (31%), while the health service provided 165 (27%).

The annual report also revealed that the number of freedom of information cases referred to the ICO rose 17% to 4,374 in 2010/11.

Other key findings from the report include:

• The ICO closed 4,369 FOI cases in 2010/11, up 4% from 4,196
• At the start of the year, the ICO had 117 FOI complaints over a year old. This was reduced to three by the end of 2010/11. The ICO also had 47 cases over nine months old by the end of the year, compared to 176 in 2009/10 – a drop of 73%. There were 179 cases over six months, down 39% from 294
• The average age of FOI cases in days was 97, down from 31% from 140
• The outcomes of cases for FOI casework finished in 2010/11 were: informally resolved (47%); decision notice served (20%); ineligible or not section 50 (17%); no internal review (7%); reopened pending final outcome (7%); no action required by the ICO or complaint withdrawn by applicant (2%)
• Local government was responsible for 44% of complaints in relation to freedom of information. The sector was followed by central government (30%); police and criminal justice (9%); health (9%); education (7%); and private companies (1%).
• The outcome of FOI complaint casework where a decision notice was served was: complaint upheld in 215 cases (26%); complaint not upheld in 369 cases (45%); and complaint partially upheld in 233 cases (29%)
• The data protection casework received by the ICO fell 21% to 26,227 (from 33,234 in 2009/10)
• The ICO closed 29,685 data protection cases in 2010/11, down 9%
• The work in progress at 31 March 2011 was 3,558, compared to 7,251 cases at 1 April 2010
• There were just nine data protection cases over nine months old, compared to 212 the year before. There were 137 cases over six months old, down 84% on the 894 in 2009/10
• The average age of data protection cases in days in 2010/11 was 60, down from 89 the previous year.
• The outcomes of cases for data protection casework finished in 2010/11 were: advice and guidance provided (44%); breach likely (23%); ineligible complaint (19%); breach unlikely (12%); and reopened pending final outcome (2%)
• The top 10 areas generating most complaints where sector was specified were: lenders (13%); general business (11%); direct marketing (9%); local government (7%); health (6%); central government (5%); telecoms (5%); policing and criminal records (5%); debt collectors (3%); and internet (3%)
• The top 10 reasons for complaining were: subject access (28%); inaccurate data (15%); disclosure of data (12%); phone calls – automated (9%); phone calls – live (9%); security (7%); email (6%); SMS (3%); right to prevent processing (2%); and fair processing information not provided (2%)
• The number of cases closed with a decision notice under the Freedom of Information Act and Environmental Information Regulations was 817, up from 628 in 2009/10.
• There were 202 appeals against the ICO’s decisions. Of these 84% were made by complainants (170) and 16% by public authorities (32).
• The Information Tribunal determined 155 appeals in 2010/11. The outcomes were: dismissed (35%); withdrawn (21%); part allowed (15%); struck out (15%); consent order (8%); allowed (4%); and invalid (2%).

In the foreword to the annual report, the Information Commissioner, Christopher Graham, said he welcomed measures in the Protection of Freedoms Bill that were designed to strengthen the independence of the ICO. However, he warned that there was “still work to be done to complete the framework”.

Graham acknowledged that the watchdog would have shoulder its share of the burden of spending cuts.

“We continue to strive to find efficiencies and to deliver ‘better for less’,” he said. “But, with growing demand for our services, finding savings is a struggle. Where we are asked to take on new responsibilities we will need additional resources to carry out the work.”

The Information Commissioner said that, longer term, it may be time to question the current arrangement of separate funding for data protection and freedom of information activities. “It makes less and less sense to fund freedom of information out of grant-in-aid and data protection out of notification fees, and never the twain shall meet,” he said.

Graham argued that the independence and the effectiveness of the ICO would be better secured by more flexible funding arrangements. “As well as liberating the ICO from the apron strings of the Ministry of Justice, we may need to find alternatives to the purse strings of HM Treasury,” he continued. “Such an arrangement would also show government commitment to protecting information rights and to the value of an independent overseer.”

Philip Hoult