Statutory Restrictions on data handling

Boris Campbell made this Freedom of Information request to Department of Health and Social Care

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was partially successful.

Boris Campbell

Dear Department of Health,

Dear Mr Jones
Re: DE00000933674 dated 1st May 2015
Thank you for your reply to my enquiry originally sent to the Ministry of Justice, relating to NHS Statutory Restriction on data handling. My questions were not specifically relating to ‘health’ as such, but the law itself.
The two questions are in no way a request for ‘ legal advice’. They ask for ‘facts’, which remain constant in all circumstances. Whereas ‘advice’ need not be based on fact or even true and may vary from person to person.
You state that the nature of the offence would depend on the circumstances under which it was disclosed. The ‘circumstances’, where and the way the information was discloses are irrelevant. The law is concerned only about three criteria: by whom and to whom the information was disclosed and for what ‘purposes’. It has been confirmed to me by a legal expert in these specific matters, that as it is in fact a breach of ‘Confidentiality’, it would always be a ‘civil’ offence, giving rise to a civil litigation. This satisfactorily answers my 1st question.
Your own publication ‘The Information Governance Review’ states in Chapter 4 – Personal data breaches that ‘ In the 12 months to the end of June 2012, 186 serious data breaches were notified to the Department of Health, rather than the ICO’.
You also told me how to complain. I did not ask how to complain. This explanation, together with that about a ‘Caldicott Guardians’ and the link to the NHS website are all irrelevant to my Request.
My 2nd question was and is, taking into consideration that breaches of confidentiality have been reported to your Department in the past, who would be responsible in your Department to deal with the kind of complaint I refer to.
.
Therefore, in accordance with not only the ICO’s statement, but also your Information Governance Review, who at the Department of Health is responsible for dealing with complaints I refer to?

Yours faithfully,

Boris Campbell

Department of Health and Social Care

Thank you for contacting the Department of Health.
This is an acknowledgement - please do not reply to this email.
Where a reply is appropriate, we aim to send one within 18 working days,
or 20 working days if your query is a Freedom of Information request or
complaint.
If you have contacted the Department of Health about a current health or
social care campaign, please visit the [1]GOV.UK website, the UK
Government’s official information website, where a response may have been
published.

If your enquiry is about a medical matter, please contact NHS 111 or visit
[2]NHS Choices, or contact your GP surgery.

For general health information you may also find it helpful to refer to
[3]GOV.UK, which includes the Department of Health's [4]'What we
do' section.
Please note that the Department of Health does not process complaints
about the NHS or social services. If you wish to make a complaint about a
healthcare professional, an NHS organisation or a social care provider,
please visit the [5]'Complaints procedure' page on the GOV.UK website.
 
You can find out more about the Department’s commitments from our
[6]Personal Information Charter.

This email was scanned by the Symantec virus scanning service and was
certified virus free.
Communications may be automatically logged, monitored and/or recorded for
legal purposes.

References

Visible links
1. https://www.gov.uk/government/announceme...
2. http://www.nhs.uk/
3. https://www.gov.uk/government/organisati...
4. https://www.gov.uk/government/organisati...
5. https://www.gov.uk/government/organisati...
6. https://www.gov.uk/government/organisati...

Department of Health and Social Care

1 Attachment

Our ref: DE00000934081 
 
Dear Campbell,  

Please find the Department of Health's response to your recent FoI request
attached.

Yours sincerely,
 
Jonathan Young
Freedom of Information Officer
Department of Health

 

show quoted sections

Dear Department of Health,

Dear Mr Young
Your reference DE00000934081
Thank you for your reply to the above FOI Request.
I already wrote to the Information Commissioner for advice in this matter.
He replied stating that as the disclosed information is controlled by NHS Statutory Restrictions on data handling, specifically the NHS(Venereal Regulations)1974, it is outside of his remit and none of his concern. He suggested that I contact the NHS or the Department of Health.
The HSCIC referred me back to the ICO, who reiterated that the NHS Statutory Restrictions on data handling, a standalone Act of Parliament, which also controls the disclosure of individual’s HIV status, is outside of the Data Protection Act and none of ICO’s business.
The local authority which disclosed the individual’s HIV status, have done so in violation of not only paragraph 46 of the ‘Confidentiality – NHS Code of Practice’, which all local authorities with social care responsibilities must follow, but also all of the Caldicott Principles and the four criteria governing disclosure of personal confidential medical information, reiterated in your ‘Information Governance Review’ chapter 5 – Information governance and the law , published in March 2013. Evidence exists that the authority’s Caldiott Guardian was aware of this disclosure, perhaps even complicit in it.
Page 55 of this Review states: ‘Any processing of personal confidential data that is not compliant with these laws, even if otherwise compliant with the Data Protection Act, is a data breach, and must be dealt with as such.’
Who should deal with such a matter, when the ICO, NHS and the Department of Health all claim that it is none of their responsibility to do so?
In order to proceed with a civil action, as you suggest, for breach of Common Law Confidentiality and violation of Article 8 of the Human Rights Act, proof must be presented that all other means of obtaining a resolution have been exhausted. This cannot be achieved, as there are no means whatsoever to accomplish this requirement.
I should mention that there is no evidence that a complaint/case has even been brought against anyone for disclosure of any information, specifically individual’s HIV status, controlled by the NHS Statutory Restrictions, since the enactment of this legislation in 1974. The disclosure discussed here is a first ever, unique occurrence, without a precedent.
Therefore, in order to progress further, even with any civil action in England or even the ECHR, as authors of this legislation, would you please issue me with a statement that the Department of Health has failed in the past 41 years to put in place an effective official complaints procedure in this country, to deal with breaches of this important legislation and disclosure of most probably the most sensitive personal clinical information in recent years by either the Caldicott Guardian or anyone else.

Yours faithfully,

Boris Campbell

Department of Health and Social Care

Thank you for contacting the Department of Health.
This is an acknowledgement - please do not reply to this email.
Where a reply is appropriate, we aim to send one within 18 working days,
or 20 working days if your query is a Freedom of Information request or
complaint.
If you have contacted the Department of Health about a current health or
social care campaign, please visit the [1]GOV.UK website, the UK
Government’s official information website, where a response may have been
published.

If your enquiry is about a medical matter, please contact NHS 111 or visit
[2]NHS Choices, or contact your GP surgery.

For general health information you may also find it helpful to refer to
[3]GOV.UK, which includes the Department of Health's [4]'What we
do' section.
Please note that the Department of Health does not process complaints
about the NHS or social services. If you wish to make a complaint about a
healthcare professional, an NHS organisation or a social care provider,
please visit the [5]'Complaints procedure' page on the GOV.UK website.
 
You can find out more about the Department’s commitments from our
[6]Personal Information Charter.

This email was scanned by the Symantec virus scanning service and was
certified virus free.
Communications may be automatically logged, monitored and/or recorded for
legal purposes.

References

Visible links
1. https://www.gov.uk/government/announceme...
2. http://www.nhs.uk/
3. https://www.gov.uk/government/organisati...
4. https://www.gov.uk/government/organisati...
5. https://www.gov.uk/government/organisati...
6. https://www.gov.uk/government/organisati...

Department of Health and Social Care

Thank you for contacting the Department of Health.
This is an acknowledgement - please do not reply to this email.
Where a reply is appropriate, we aim to send one within 18 working days,
or 20 working days if your query is a Freedom of Information request or
complaint.
If you have contacted the Department of Health about a current health or
social care campaign, please visit the [1]GOV.UK website, the UK
Government’s official information website, where a response may have been
published.

If your enquiry is about a medical matter, please contact NHS 111 or visit
[2]NHS Choices, or contact your GP surgery.

For general health information you may also find it helpful to refer to
[3]GOV.UK, which includes the Department of Health's [4]'What we
do' section.
Please note that the Department of Health does not process complaints
about the NHS or social services. If you wish to make a complaint about a
healthcare professional, an NHS organisation or a social care provider,
please visit the [5]'Complaints procedure' page on the GOV.UK website.
 
You can find out more about the Department’s commitments from our
[6]Personal Information Charter.

This email was scanned by the Symantec virus scanning service and was
certified virus free.
Communications may be automatically logged, monitored and/or recorded for
legal purposes.

References

Visible links
1. https://www.gov.uk/government/announceme...
2. http://www.nhs.uk/
3. https://www.gov.uk/government/organisati...
4. https://www.gov.uk/government/organisati...
5. https://www.gov.uk/government/organisati...
6. https://www.gov.uk/government/organisati...

Department of Health and Social Care

1 Attachment

  • Attachment

    Long Email Body 27 05 2015.html

    6K Download

Email Content stored in attached file 'Long_Email_Body_27_05_2015.html'.

 

This email was scanned by the Symantec virus scanning service and was
certified virus free.
Communications may be automatically logged, monitored and/or recorded for
legal purposes.

Dear Department of Health,
Dear Ms Cox
Thank you for your reply to my FOI Request above.
You statement that the NHS Statutory Restrictions on data handling apply ONLY to NHS Trusts and former PCTs is incorrect.
I have already told you that the NHS(Venereal Regulations)1974 is incorporated at paragraph 46 - legal restrictions on disclosure in the ‘Confidentiality –NHS Code of Conduct’ issued by your Department, which, according to the Department for Communities and local Government, all local authorities with social care responsibilities MUST follow. This was also confirmed elsewhere by your own Department.
Your own Department’s ‘Information to share or not to share – The Information Governance Review’ states on page 10 – Chapter 4 – Personal data breaches that ‘In the 12 months to the end of June 2012, 186 serious breaches were notified to the Department of Health. Most involved the loss or theft of data, but almost one-third concerned unauthorised disclosures.’
The one-third disclosures referred to can only be individual cases of disclosure of personal data, in contravention of regulations, guidelines and indeed, the law.
Your statement that ‘… the Department has no powers to intervene in individual cases.’ Raises a question: ‘Taking this into consideration, why were these serious breaches referred to the Department of Health in the first place’?
Therefore, there must be an individual or an office at your Department responsible to deal with these matters.
I should like to take this opportunity and suggest to you, that before you start replying to Requests on this website, you update yourself on the procedures which apply here.
The last paragraph of your reply is inappropriate and irrelevant. This normally ubiquitous copy and paste paragraph used by your Department in conventional FOI Requests to fob off the individual and to put a stop to any further questions, which may prove embarrassing, fortunately does not apply on this public forum.
Unlike during an FOI Request submitted by conventional means, the individual submitting the FOI Request on this website has the final word. It is he who either ‘accepts’ a reply or not. By accepting the reply, he confirms that he is satisfied with it and in fact closes the matter. Should he be dissatisfied with a reply, he may ask further relevant questions, irrespective whether you have ‘closed’ the case, or not. He is entitled to ask for an ‘internal review’ by the website’s legal staff, or refer the matter to the Information Commissioner for resolution. In this process, I am happy to say, you have no say or influence.
Finally, it is sad, very sad indeed that a Ministerial Correspondence and Public Enquiries section of the Department of Health provides such unreliable information; even contradicting itself. You should be in the forefront of providing reliable, credible information. Particularly, when in excess of 500,000 individuals visit this public forum seeking credible answers to their concerns on various matters.
You should be aware that your incorrect answer will remain here for ever more, for anyone to see. Anyone can also add whatever comments he may feel relevant to the matter. None of this information can be deleted, except in special circumstances.
It is now clear that for whatever reasons I will not receive the requested information. I will therefore address my concerns directly to the Secretary of State, providing evidence of not only incorrect information, but the continuous obfuscation.
Yours sincerely
Boris Campbell
Adult Social Care Section
Kensington Branch
38degrees.org

Department of Health and Social Care

Thank you for contacting the Department of Health.
This is an acknowledgement - please do not reply to this email.
Where a reply is appropriate, we aim to send one within 18 working days,
or 20 working days if your query is a Freedom of Information request or
complaint.
If you have contacted the Department of Health about a current health or
social care campaign, please visit the [1]GOV.UK website, the UK
Government’s official information website, where a response may have been
published.

If your enquiry is about a medical matter, please contact NHS 111 or visit
[2]NHS Choices, or contact your GP surgery.

For general health information you may also find it helpful to refer to
[3]GOV.UK, which includes the Department of Health's [4]'What we
do' section.
Please note that the Department of Health does not process complaints
about the NHS or social services. If you wish to make a complaint about a
healthcare professional, an NHS organisation or a social care provider,
please visit the [5]'Complaints procedure' page on the GOV.UK website.
 
You can find out more about the Department’s commitments from our
[6]Personal Information Charter.

This email was scanned by the Symantec virus scanning service and was
certified virus free.
Communications may be automatically logged, monitored and/or recorded for
legal purposes.

References

Visible links
1. https://www.gov.uk/government/announceme...
2. http://www.nhs.uk/
3. https://www.gov.uk/government/organisati...
4. https://www.gov.uk/government/organisati...
5. https://www.gov.uk/government/organisati...
6. https://www.gov.uk/government/organisati...

Department of Health and Social Care

Our ref: DE00000937650 
 
Dear Mr Campbell,  

Thank you for your further  correspondence of 28 May about the disclosure
of personal information.  I have been asked to reply.

I must make it clear that all the requests you have made to date do not
satisfy the treatment under the Freedom of Information Act as there has
been no request for consideration to be given to the release of
information.  Your requests have therefore all been dealt with correctly
as Departmental correspondence.

Although, as with many areas of healthcare, the Department of Health is
provided with information about data breaches by local NHS organisations,
it is not responsible for enforcement or effecting action in individual
cases.  Local organisations themselves are legally responsible for
processing confidential personal information within the requirements of
the Data Protection Act 1998; where an individual is concerned that their
confidentiality has been breached they can use local complaints
processes.  Should this fail to provide a resolution they may forward
their complaint to the Office of the Information Commissioner.  I
understand the person you refer to in your correspondence may have already
tried this, so they may wish to seek legal advice on taking action against
the organisation(s) that have allegedly breached their confidence.

I am sorry if this is not the reply that you were hoping for, but as there
is nothing further that the Department can add, we must now consider this
matter to be closed.  Unless you raise a new question, any further letters
sent to the Department will be logged but may not receive a reply.

Yours sincerely,
 
Neil Crowder
Ministerial Correspondence and Public Enquiries
Department of Health
 

show quoted sections

Dear Department of Health,

Dear Mr Crowder
Thank you for your reply.
I must once again reiterate that it is not your prerogative to close a Request submitted on this public forum. Although you may consider it ‘closed’ when you are unable/unwilling to provide the requested information, it remains open here until I am satisfied that I have received the requested information, about which I may ask as many additional questions I need in order to arrive at a satisfactory outcome.
It is I, and only I, who decides when a case is closed. It will remain permanently on this public forum, accessible by anyone seeking similar information, with all the replies and comments clearly visible to them.
The progress of each Request is closely monitored by the website’s staff, who ask for updates at every stage of the process. Should I be unhappy with the outcome, I have the option to seek an ‘internal review’, which may end up with the Information Commissioner. You have no influence of any kind in this process. Therefore, your statement that you have ‘closed’ the case is irrelevant on this occasion and somewhat asinine.
My request was for information: In my original request on 7th May 2015 to Mr Jones I asked:
‘Therefore, in accordance with not only the ICO’s statement, but also your Information Governance Review, who at the Department of Health is responsible for dealing with complaints I refer to?’ This had nothing to do with the actual disclosure.

The Information Governance Review states that 186 notifications of serious breaches of confidentiality were received by your Department in 2012. They must have been received by someone, who obviously, according to your latest reply, was not entitled to take any action of any kind. I merely asked for the name of the individual or a section who received these notifications. Simple request, yet so difficult to fulfil. So difficult that you promptly closed the case, to prevent any further democratic , transparent and fair progress of this very simple Request.

As far as your personal feeling of sorrow is concerned, you are not expected to express your personal sentiments, however pleasing they may be. Your duty is to provide proper, credible and reliable information, irrespective of how you may feel about it. This statement of assumed empathy is ubiquitous in all of your Department’s replies. It is nothing but a vacuous, inappropriate cut and paste nonsense.
No complaint of any kind was submitted by anyone to the Information Commissioner about the disclosure contravening the NHS Statutory Restrictions on data handling. He was merely asked who should deal with such complaints. He replied, stating that as he has no information about this specific legislation, suggesting that concerns should be addressed to the NHS or the Department of Health.
The NHS told me that they do not have the powers to investigate individual cases and referred me to the Department of Health.
You state that ‘the Department of Health is provided with information about data breaches by local NHS organisations….’ You are obviously not aware that since 2002 an individual has been appointed in local authorities with care responsibilities, called the ‘Caldicott Guardian’, to oversee the handling of confidential personal information. Ensuring that, at least in theory, the processing of personal medical confidential information was finally on par with that in the NHS. However, this is merely a theory and wishful thinking.
Further you state that ‘Local organisations themselves ae legally responsible for processing confidential personal information within the requirements of the Data Protection Act 1998….. he may forward his complaint to the Information Commissioner.’ The information disclosed in the case I refer to is NOT subject to the provisions of the Data Protection Act, therefore not within the Information Commissioner’s remit. It is regulated by a SEPARATE LEGISLATION, OUTSIDE OF THE DATA PROTECTION ACT.
It now appears that the Department of Health has issued a piece of legislation, without consideration as to what should happen when it is breached and sensitive personal information is disclosed in contravention of this Act.
In the case of the 186 complaints, it seems that NO action of any kind was taken by anyone to either discipline or penalise the perpetrator(s) of these serious breaches. A very sad affair indeed, in this allegedly democratic, transparent and fair Big Society. A cleverly orchestrated process of notifying the Department of Health, instead of the Information Commissioner, for a very simple reason: TO GET AWAY WITH and avoid any action. I will be submitting a separate Request regarding this matter.
In respect of the individual case, I have addressed my concerns directly to the Secretary of State for Health.

Yours faithfully,

Boris Campbell

Peter Bowyer left an annotation ()

As they've explained to you, you're not making valid requests for information under the FoI Act, so your pompous quoting of FoI Act provisions is irrelevant. If you wish to ask for an internal review, you have to have made a valid request in the first place. They have answered your general questions with general information and have no more to add, so they're telling you not to waste your and their time asking the same question again, or trying to have a debate with the officer dealing with your questions.

Boris Campbell left an annotation ()

Strange that the DOH refuses to let me have the name of a responsible person, when I see other organisations have provided this information to others.

Dear Mr Crowder
Thank you for your reply.
I should let you know that I have ended up on a Ministerial Merry-Go-Round.
The Information Commissioner was asked for guidance in this matter. He advised that as the NHS(Venereal Regulations)1974, which is a Statutory Restriction on data handling is outside of his remit, I should address my concerns to either the NHS or the Department of Health.
I have done as advised. The NHS replied that it is either the Information Commissioner or the Department of Health who should deal with this matter. Likewise, you are sending me back to the Information Commissioner….
And round and round we go…endlessly. No one is prepared to take the responsibility to deal with this matter.
Perhaps, this is due to the fact that NO formal complaint or a case has even been presented against anyone for breach of this specific NHS Statutory Restriction on data handling. It is in fact a first ever case. Someone, somewhere has the statutory obligation to deal with it. Obviously, it is very hard indeed to decide who this might be.
You are perhaps by now aware that the individual whose information was disclosed in breach of this Act, wrote directly to Mr Lamb, the Secretary of State for Health to decide who is responsible to receive complaints of this nature, which according to the Ministry of Justice document ‘ Public Sector data handling – guidance on the law’, are serious civil offences.
Legal advice recommends that an answer to the complaint must be obtained before proceeding further with this matter.
As it stands at the moment, the following considerations apply: a breach of Common Law Confidentiality, breach of NHS Statutory Restriction on data handling in itself a serious offence and a violation of Article 8 of the Human Rights Act, as already demonstrated by recent cases Z v Finland and I v Finland in front of the ECHR.

Yours faithfully,

Boris Campbell