Healthcare Features

Details

Written by: Sean Clement

Category: Healthcare Features

Published: 18 November 2010

Hits: 1381

• localgov

The criminal sanctions of the Computer Misuse Act 1990 represent a significant danger to public sector employees who routinely access data stored on their computers, writes Valerie Surgenor.

The advent in recent years of a number of pieces of Data/Information Technology legislation in the UK has meant that public sector workers are now subject to an increasing number of legal obligations. For example, freedom of information requests under the Freedom of Information Act 2000 must be responded to timeously and satisfactorily, whilst a number of stringent obligations exist under the Data Protection Act 1998 in relation to the handling and releasing of personal information.

Yet even in the face of the above-mentioned legislation it may come as a surprise to many that the little-known Computer Misuse Act 1990 ("the Act") – a piece of legislation which has been in existence for 20 years – could be of danger to many public sector workers who routinely access data stored on computers in their day-to-day employment.

The Law

The Act was brought into force in 1990 primarily to stop the hacking and accessing of computer data and networks. Section 1 of the Act makes it an offence to access data held on a computer where the person knows that access is unauthorised. There does not have to be intention to access specific data or programs, nor does there have to be any sort of malice involved. The s.1 offence is perpetrated simply by the data being accessed; that access being unauthorised; and the accused knowing that such access is unauthorised.

Sections 2, 3 and 3A of the Act go further and lay down the offences of using the unauthorised access to commit a serious criminal offence; carrying out an unauthorised act which impairs the operation of a computer; and making/supplying any articles which can be used to commit one of the offences in sections 1-3. In the context of public sector workers, whilst sections 2-3A are important to bear in mind, they are likely to be of less importance in practice than the provisions of s.1. The focus of this article is therefore the offence under s.1 of unauthorisedly accessing data.

Interpretation of "Access"

Where a person is accused of carrying out a s.1 offence under the Act there is little scope to argue that the data was not actually accessed. "Access" is defined broadly under s.17(2) of the Act as: (a) altering or erasing a program or data; (b) copying or moving the program or data to a different storage medium; (c) using the program/data; or (d) having the data output from the computer (whether by displaying it or otherwise). The scope for the accused to argue that they were not actually accessing data is therefore limited almost to nil.

Interpretation of "Unauthorised"

A common defence used where a person is accused of carrying out a s.1 offence is that the data/program was accessed, but that the access was authorised. This raises questions of what types of access are "unauthorised".

Section 17(5) of the Act defines access as unauthorised if: (a) the accused is not entitled to control access to the data/program; and (b) the accused does not have consent to access the data/program from a person who is entitled to give consent.

Unfortunately this area of the law has suffered from a severe lack of judicial consideration (despite its 20 years of existence) to interpret the terms of s.17(5), and the case law which does exist is contradictory. There is therefore some uncertainty as to when access will be "unauthorised". Nonetheless, some general principles can be derived.

The issue was first considered in the case of DPP v Bignall [1998] 1 Cr. App. R.1 where two police officers received consent from the police commissioner to access the Police National Computer ("PNC") for policing purposes. The two accused, however, instructed a PNC operator to use the PNC to obtain details of car registrations for their personal use (such use clearly not being for the authorised 'policing purposes'). The court in this case held that, whilst the accused did not have authority for the particular purpose actually accessed, they nonetheless had authority from the controller of the data (the police commissioner) to control access to the data (i.e. they could control access by requesting the data operator to obtain specific data). The two accused were therefore not guilty of an offence under the Act.

This decision has, however, been largely overruled by the decision in R v Bow Street Metropolitan Stipendiary Magistrate [2000] 2 A.C. 216 and the position now appears to be that where authorisation is given to a person to access data, the actual access must not go beyond the authorisation given. (There appears to be a narrow exception to this where the accused – as in DPP v Bignall – instructed a person with authorisation, i.e. the computer operator, to access the data for them; the accused will in this situation potentially not be guilty of an offence under s.1. Whether this exception would still be upheld by the courts, however, is not clear.)

Punishment

If found guilty of unauthorised access of data/programs under s.1 of the Act, the convicted person faces up to two years in prison and/or a fine of up to £5,000 (or £10,000 in Scotland).

Specific Issues for the Public Sector

Whilst the dangers to public sector workers posed by the Computer Misuse Act may not be immediately clear, a number of cases have been raised in the past in relation to public sector workers.  The fact that the vast majority of cases under the Act have been unreported makes analysis of the decisions somewhat difficult, however some areas of danger can be highlighted.

Using Authorised Access for the Authorised Purpose

As stated above, access to data is now likely to be considered authorised only where the actual use of the data is the purpose for which authorisation was given. In the case of R v Scott Gelsthorpe and Jeremy Young (unreported, Southwark Crown Court, 2007) police officers were given authorisation to access the PNC in the course of their duties as police officers, for the purposes of policing. Yet in this case the police officers accessed the PNC to provide information to a private detective agency with which they were affiliated. So whilst the access was authorised for policing purposes, it was not authorised for the purposes of their private detection business. Although the actual decision in this case turned upon s.3 of the Act, it is likely that the accessing of the data in this case would also have been unauthorised in terms of s.1.

Workers in the public sector should therefore be sure that, where they have authorised access to any computers which hold data, they are only accessing the data for the authorised purpose. In practice this is likely to be accessing the data in the course of their employment only (i.e. for the purposes of their employment) – accessing for any form of personal use will put public sector workers at risk of committing an offence under s.1 of the Act.

Using Authorised Access for Personal Purposes

Going hand-in-hand with the rule that the authorised access must be used for the authorised purpose is a rule that the authorised access must not be used for personal purposes. The case of R v Scott Gelsthorpe and Jeremy Young, above, was an example of where public sector workers went beyond the remit of their authorised access and used the accessed data for their private business. In the context of s.1 of the Act this is likely to constitute use for personal purposes.

In the case of R v Michelle Begley (unreported, Coventry Magistrates Court) a police officer was given authorised access to the PNC (such access was given, again, for policing purposes). The police officer, however, used the access to the PNC to track electoral records and car registrations of a female who had been conducting an affair with her boyfriend. The accused was convicted of a s.1 offence and sentenced to three months’ imprisonment.

A similar case arose in R v Bennett (unreported) where an ex-police superintendent used the PNC to track details of his ex-wife's new partner. In this case the accused pleaded guilty to a s.1 offence and was fined £150 plus costs. (A caveat to this case is that it may have been overturned on appeal.  However due to the fact that the original case itself was unreported, no further details exist to confirm this. We must therefore work on the basis of the original decision.)

Although none of these cases turned specifically on whether the access was for personal use, such personal use is – by virtue of the fact it is not the authorised use – likely to constitute an offence under s.1. The principle to bear in mind is therefore that to avoid conviction under the Act public sector workers should ensure that where they have been authorised to access data held on a computer, they should not use this data for personal purposes. The indications are that the courts will simply not consider accessing data for personal use to be authorised access; however one would have thought it should not require the courts to interpret this in the first place.

Access to Medical Records

A number of cases under the Act have also arisen in relation to hospital/NHS staff accessing patient databases.

In a recent case from September 2010 – R v Dale Trever (unreported, Hull Crown Court) – an NHS data quality manager accessed more than 400 records of family, friends, and colleagues and was caught after a colleague reported his activity. Despite pleading guilty, the Judge in the case imposed a penalty of a six month suspended prison sentence.

In addition, an older case from 1993 – R v Rymer (unreported, Liverpool Crown Court) – highlights the danger that can arise with accessing data without authorisation. In this case the accused, nurse Dominic Rymer, obtained a computer password by looking over the shoulder over a doctor colleague. The nurse then used this password to obtain access to the hospital database and alter the prescription and treatment records for a patient. Quite aside from the danger this could have caused to the patient, this also constituted an offence under the Act. In this case the offence was under s.3 of the Act, although the principle still holds true that the access in this case was unauthorised.

What to Note

As discussed above, it is difficult to interpret the Act due to the lack of reported case law and the conflicting existing case law. That said, a number of cautionary principles can be taken from the case law which should help public sector workers to minimise their risk of prosecution under the Act.

Public sector workers should, if not already, be aware that such obvious acts as that seen in the Rymer case to access data held on computers, or using access to such data for business/personal purposes, are likely to constitute an offence under the Act. However, the recent case of R v Dale Trever should also serve as a reminder that using authorised access to simply "fact-find" and read data – even where the use of the data goes no further than this – will still constitute an offence under the Act.

A final point to note is that these principles will hold true whatever the area of the public sector – whether police officers accessing the PNC or social workers accessing social work databases, etc.

How can the Public Sector Avoid Offences under the Act?

It should be clear that the onus is on the individual accessing the data to ensure that they are not committing an offence under the Act. Public sector workers should therefore be certain that they are only accessing data for the purpose authorised and that they are not accessing it for business or personal purposes. This includes accessing the data simply for informational purposes, or to obtain information on family/friends.

A further caveat to deter workers from accessing data which they are not authorised to access is that such access – even if it does not constitute an offence under the Act – could still constitute an offence under the Data Protection Act 1998. In addition, accessing data without authorisation could also result in internal disciplinary procedures which, at worst, could result in workers being dismissed.

Public sector bodies can also help to minimise the potential of any prosecutions under the Act. Bodies should ensure that they have a clear Computer Misuse Act policy in place, setting out what data is confidential and which data cannot be accessed without authorisation. They should also ensure that they have a clear scheme of authorisation in place – i.e. a clear indication of who is authorised to control the data, and who can give authorisation to others to access the data. This, coupled with a high level of responsibility from workers, should ensure that prosecutions under the Act are kept to a minimum.

Valerie Surgenor is a senior associate at MacRoberts. She can be contacted on 0141 303 1241 or by email at This email address is being protected from spambots. You need JavaScript enabled to view it..

Details

Written by: Sean Clement

Category: Healthcare Features

Published: 18 November 2010

Hits: 4072

• localgov

The High Court has recently ruled that the NHS must treat patients despite their personal injury settlements. Matthew Hill examines the judgement.

In R (Booker) v NHS Oldham and Direct Line Insurance PLC [2010] EWHC 2593 (Admin), the High Court has held that where a claimant agrees a damages settlement that includes an indemnity to fund private nursing care should existing NHS provision be withdrawn, it was unlawful for a primary care trust to cease its funding of the claimant’s care on the basis that her needs would be met through the settlement.

The claimant, B, was a tetraplegic who had sustained her injuries in a road traffic accident. She had received care from the defendant NHS trust (“the Trust”) over a number of years, and there was no dispute that her medical needs made her eligible for future care. In October 2009, B’s personal injury case was settled on the basis of both a lump sum and periodical payments, the latter due to commence from 15 December 2011. In respect of the period between the settlement date and the first periodical payment, a series of “safety net undertakings” were given by both sides in the litigation, and by DLI, the insurer of the injury claim defendant. These were to the effect that B would use her best endeavours to maintain the NHS funded care that she was receiving, but, should it nonetheless be withdrawn, DLI would indemnify B against the cost of providing replacement care.

In June 2010, the Trust informed B that it intended to withdraw its provision of care from her with effect from the autumn, on the basis that B had elected to receive private care and hence no longer required NHS services. B sought judicial review of this decision.

The Trust put forward two arguments in support of its position. First, it argued that it was not subjecting B’s treatment to an unlawful means test. The decision not to continue treatment was based not upon B’s financial position and ability to pay, but on the fact that she had “elected” to have private treatment and hence no longer had a “reasonable requirement” for continuing healthcare. Second, the Trust argued that the principle that the “tortfeasor pays” was applicable in the circumstances of the case, such that the NHS should not be forced to use its finite, public resources to provide care for the victim of someone else’s negligence when the relevant insurers could be legally compelled to pick up the bill.

HHJ Pelling QC, sitting as a High Court judge, rejected both arguments and found for B. In respect of the former, he noted that s.1(3) of the National Health Services Act 2006 and the Secretary of States’ National Framework Document [46-49] provided that eligibility for NHS treatment was based on an individual’s assessed needs, and not on an ability to pay. He went on [25]:

“The PCT consider that it is entitled to draw a distinction between someone who has the means to pay for care privately and someone such as the Claimant in these proceedings who has recovered damages for personal injury. I am not persuaded that the distinction is at all as clear as the PCT maintains or that it forms a sound basis for arriving at the conclusion that has been reached in this case. A Claimant who is successful in recovering damages is entitled to do with the damages as he or she pleases. It is for this reason that the Interested Party [DLI] insisted upon the inclusion within the settlement agreement of anti-double recovery provisions. On that basis there is no clear distinction that can be drawn by a PCT in the position of this PCT between a person who is independently wealthy or is insured in relation to medical expenses and someone who has sufficient means to provide for his or her care privately by reason of what has been recovered in damages. In each of these cases, to refuse treatment by reference to the means of the patient would in my judgment be contrary to the principle identified by [a senior manager of the Trust] that the “NHS is not a means tested service and is provided to patients on the basis of their medical needs without reference to their financial position." It is contrary to the principle set out in s.1(3) of the 2006 Act and could not have been arrived at if regard had been had to the provisions of the NHS Constitution to which I have referred above.

Turning to the “tortfeasor pays” principle, HHJ Pelling QC noted that it had been used conventionally to assist in assessing the damages of a claimant in a PI action. To date there was no authority that supported the extension of the rule to act as the basis for withdrawing NHS services to someone who would otherwise have been entitled to them [26-27]. Responding to this, the Trust argued that it could still take the point that the tortfeasor should pay into account when deciding on whether or not to provide care, as it was not prevented by statute from doing so. It further argued: (i) that a judicial review of its decision should be limited to a Wednesbury unreasonableness challenge; and, (ii) that an analogy could be drawn with the comments of Sir Anthony Clarke MR in R (Rogers) v Swindon NHS Primary Care Trust [2006] EWCA Civ 392, a drug-provision case in which he held that a court should be extremely reluctant to intervene in cases in which a “hard-pressed authority with many competing demands on hits budget” had regard both to its own financial restraints as well as the needs of a patient when deciding whether or not to supply a drug.

HHJ Pelling was not persuaded by this reasoning. He held that in coming to its decision in the present case, the Trust had to have regard to the legislation and guidance considered above that established that comprehensive treatment, free at the point of delivery, would be provided on the basis of need rather than on ability to pay. In respect of Sir Anthony Clarke’s comments in Rogers, he held that the case was not analogous:

“[29] … this is not a case where the [Trust] allege that funds are not available to provide the care required to all who are eligible to receive it. Rather it is alleged that if the costs of providing future healthcare to [B] were avoided, the funds saved could be deployed for other purpose.

[30] Ultimately the only basis for refusing treatment to [B] but not to another is the presumed ability of [B] to recover the costs of paying for her care herself by reference to an indemnity to be obtained pursuant to the safety net undertakings [in the PI settlement]. In my judgment that was not a position it could lawfully or rationally adopt.”

Comment

Although there are strong grounds for distinguishing the present case from those concerning the decisions of individual NHS trusts not to provide particular drugs or treatments, a comparison seems at first sight to throw up an odd anomaly. On the one hand, the courts appear to be reluctant to compel trusts to direct scarce resources to the provision of particular treatments that patients cannot get elsewhere; on the other, they are also preventing trusts from freeing-up their resources by withholding treatment from patients who would receive equivalent private care.

However, the paradox is not as stark as it first appears. HHJ Pelling QC, referring to the case of Crofton v National Health Service Litigation Authority [2007] EWCA Civ 71, emphasised that he was not expressing any view as to the social and economic expediency of requiring a tortfeasor or his insurer to pay for the services that have or will be provided by the NHS. But the remedy for the state lay not in individual trusts taking decisions such as that in respect of B’s case, but in primary legislation which allowed that costs of treatment to be recovered from the insurers by the NHS (for example Part 3 of the Health and Social Care (Community Health and Standards) Act 2003). There were a number of reasons why this was preferable, including the need to avoid different approaches being taken by different PCTs, and to provide greater security, certainty and expediency for claimants and insurers alike when they came to settle cases.

In coming to his decision, HHJ Pelling QC drew upon 21st Century statutes and case law, and the modern procedural emphasis on resolving cases out of court. Yet despite this – and despite the state of permanent revolution that state health care has endured for well over a decade – his judgment rests on a simple and resilient principle that dates back to the founding of the NHS: a national health service, non-means tested and free at the point of delivery. Nye Bevan would approve.

Matthew Hill is a barrister at 1 Crown Office Row (www.1cor.com). This article first appeared on the chambers’ UK Human Rights Blog.

Details

Written by: Sean Clement

Category: Healthcare Features

Published: 08 November 2010

Hits: 2934

• localgov

The Commons health select committee has launched an inquiry into the sharp rise in complaints against the NHS and the reasons behind the inflation of litigation costs in recent years.

The committee said it was “vital that the NHS addresses complaints in a way which satisfies patients and their families in order to maintain confidence in the service”.

It added that complaints could also be an early warning of systemic problems, citing the chair of the public inquiry into Mid Staffordshire NHS Foundation Trust who acknowledged that “the trust failed to listen to patients' concerns, the board did not review the substance of complaints and incident reports were not given the necessary attention”.

The MPs also highlighted the Health Service Ombudsman’s recently published report on its first year of operation. In her foreword, Ann Abraham said: “The NHS needs to listen harder and learn more from complaints. When it fails to do so, it is missing a rich source of insight and information that is freely and readily available and comes directly from service users.”

The committee therefore called for written evidence on:

• The reasons for the recent sharp rise in NHS complaints
• The effectiveness of the new complaints system introduced on 1 April 2009
• The effectiveness of the constituent parts of the complaints system: local resolution (supported by the Independent Complaints Advocacy Services); and referral to the Ombudsman
• The role of Patient Advice and Liaison Services as a “gateway” to the complaints system
• The failure of some Foundation Trusts to report numbers of complaints
• The government’s plans for future complaints-handling arrangements
• How data from complaints will feed into the government’s planned new commissioning arrangements.

The health select committee pointed out that litigation – as a means of seeking redress for failures in treatment – imposed a significant cost on the NHS.

“NHS institutions spend hundreds of millions of pounds in premium to insure against litigation, and that does not cover the independent sector, including General Practitioners, who make their own arrangements,” it said.

In this respect, it called for evidence on:

• The cost of litigation against the NHS
• Reasons for the inflation of litigation costs in recent years
• The impact of conditional fee (“no win, no fee”) arrangements on litigation against the NHS
• The effect of litigation on the development of an open reporting and learning culture in the NHS
• The government’s intentions regarding the implementation of the NHS Redress Act 2006
• The possible benefits of a statutory right to compensation for “treatment injury” from an independent fund, without the need to prove negligence, as required under tort law
• Encouraging the use of mediation before litigation is initiated.

The deadline for submitting written evidence is noon on Tuesday 21 December 2010.