Data protection and human rights
8. Personal data (which includes an individual's
name, address, date of birth and national insurance number) is
protected by Article 8 of the European Convention on Human Rights
as part of an individual's private life. In the context of medical
records, the European Court of Human Rights has stated:
The protection of personal data, particularly medical
data, is of fundamental importance to a person's enjoyment of
his or her right to respect for private and family life as guaranteed
by Article 8 of the Convention. Respecting the confidentiality
of health data is a vital principle in the legal systems of all
the Contracting Parties to the Convention. It is crucial not only
to respect the sense of privacy of a patient but also to preserve
his or her confidence in the medical profession and in the health
services in general. The domestic law must afford appropriate
safeguards to prevent any such communication or disclosure of
personal health data as may be inconsistent with the guarantees
in Article 8 of the Convention (MS v Sweden (1997) 28 EHRR 313,
para. 41).
The same comments could be made in respect of personal
data of any kind held by any organ of the State.
9. The obligation to provide personal data, the release
of personal data without consent, and the collection and storage
of personal data all amount to interferences with an individual's
right to respect for his or her privacy. Whether or not such interferences
amount to a breach of Article 8 will depend on an assessment of
whether the disclosure was "in accordance with the law",
necessary in a democratic society for a legitimate aim (in the
interests of national security, public safety or the economic
well-being of the country, for the prevention of disorder or crime,
for the protection of health or morals, or for the protection
of the rights and freedoms of others), and proportionate. The
adequacy of the safeguards in the overall regime is central to
this assessment.
10. In its written memorandum, the Information Commissioner's
Office noted that the Data Protection Act is derived from the
European Data Protection Directive, which itself has its origins
in the European Convention on Human Rights. It explained that
the Data Protection Act provides practical guidance to public
bodies on how to meet their obligations under the Human Rights
Act to respect personal data. "It is fair to say", it
concluded, "that there is a mutually supportive interplay
between human rights, data protection and the work of the Information
Commissioner".[12]
11. The right to respect for private life in Article
8 ECHR imposes a positive obligation on the State to ensure that
its laws provide adequate protection against the unjustified disclosure
of personal information. The Data Protection Act 1998 is an important
part of the detailed implementation of that positive obligation,
but its mere existence does not exhaust the obligation on the
State to provide adequate safeguards. The Data Protection Act
must itself be interpreted so as to be compatible with Article
8, and it may still be necessary for legislation which authorises
the disclosure of personal information to contain detailed provisions
circumscribing the scope of that power and providing safeguards
against its arbitrary use.
Data sharing
12. Data sharing between public sector bodies is
becoming increasingly common. In our legislative scrutiny work,
we often encounter provisions to enable Government departments
and other bodies to share data for a wide variety of purposes.
Table 1 summarises the provisions we have commented on in recent
years.[13]
13. In its written memorandum, the Information Commissioner's
Office said that "the unnecessary or disproportionate sharing
of personal information can undoubtedly have a significant negative
impact on individuals". It drew attention to public concern
about the mismanagement of sensitive personal information, particularly
in relation to health records, tax returns, police records and
adoption papers. [14]
It went on to say, however, that:
It is wrong to see the sharing of personal information
as necessarily a bad thing, one that can necessarily be opposed
on data protection or human rights grounds … The issue …
isn't whether there should be more or less information sharing,
but rather what information is being shared, why it's being shared,
who has access to it and what the effect of this is.[15]
14. We agree that data sharing is not, in human rights
terms, objectionable in itself. Indeed, the sharing of personal
data may sometimes be positively required in order to discharge
the State's duty to take steps to protect certain human rights,
such as the right to life,[16]
and it is also in principle capable of being justified by sufficiently
weighty public interest considerations. However, the sharing of
personal data will inevitably raise human rights concerns, and the
more sensitive the information the stronger those concerns will
be. Government must show that any proposal for data sharing is both
justifiable and proportionate, and that appropriate safeguards are
in place to ensure that personal data is not disclosed arbitrarily
but only in circumstances where it is proportionate to do so.
12 Appendix 2, paragraphs 2, 3, 16. Back
13
See paragraph 16 below. Back
14
Appendix 2, paragraph 5. Back
15
Ibid, paragraph 6. Back
16
E.g. in Edwards v UK the failure to ensure that information
was passed from the police to the prison authorities, about the
risk posed by a mentally ill detainee, contributed to the finding
by the European Court of Human Rights that the UK was in breach
of the positive obligation to protect life when that detainee
killed his cellmate. See also Nineteenth Report, session 2003-04,
Children Bill, HC 537, HL Paper 161, paragraphs 98-117. Back
