The recent undertakings given by Brent Teaching Primary Care Trust and Abertawe Bro Morgannwg University NHS Trust to the Information Commissioner’s Office and to be given by Tees Esk and Wear Valleys NHS Foundation Trust, highlight the current data protection hot topic of data encryption.
The Information Commissioner’s Office has legal powers to ensure compliance with the requirements of the Data Protection Act 1998 (the DPA). Both Brent and Abertawe gave undertakings to the Information Commissioner’s Office to implement appropriate security measures following the theft of unencrypted laptops containing patients’ personal data. Tees Esk and Wear Valleys was also required to sign a formal undertaking after the “loss of an unencrypted data stick by a contractor with various patient and staff personal data on it”, although the data stick was found and later returned to the Trust.
Recap on some of the relevant DPA requirements
Under the DPA there are various requirements that have to be complied with by “data controllers”. A data controller is a person who determines the purposes for which and manner in which any “personal data” are to be processed. An example is an NHS Trust in relation to its patients’ personal data: the Trust will decide how and for what purposes that patient information would be “processed”.
Processing is given a very wide meaning by the DPA. It covers probably everything one can imagine relating to dealing with the relevant information including obtaining, recording, holding, altering, retrieving, using, disclosing and erasing or destroying the information.
It is important to remember that the DPA only protects “personal data”.
In broad terms, “personal data” is data that relates to a living individual who can be identified from that data (or from that data as well as other information in the data controller’s possession). An example is a person’s name, address, data of birth and NHS number.
The DPA includes eight data protection principles to which data controllers must adhere. The seventh of these principles is that “appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to personal data”. This is where the issue of data encryption comes in. It is worth noting that this principle refers to taking appropriate technical and organisational measures. The measures have to ensure a level of security that is appropriate to the harm that might result from unauthorised or unlawful processing of the data and also the nature of the data to be protected. This is having regard to the state of technological development and also the cost of implementing any such measures.
What about in the context of equipment leases?
There are DPA considerations for both lessees and lessors relating to personal data stored on leased equipment upon termination or expiry of a lease.
Bearing in mind the seventh data protection principle mentioned above, the lessee should ensure that any such personal data is permanently removed prior to return of the equipment.
Apart from the seventh principle, under the first principle, personal data must be processed “fairly and lawfully”. One of the factors taken into account in determining whether the data has been processed fairly is whether the person from whom it was obtained is deceived or misled about the purposes for which it would be processed - including the purposes for which it would be disclosed. This is one of the main reasons for providing individuals upfront with data protection statements explaining how their personal data will be used and with whom it will be shared. In general terms, it would be unusual for an individual’s consent to have been specifically obtained upfront to his personal data being disclosed to a lessor of equipment on which that data would be stored with a view to that lessor then simply deleting it. From its own compliance perspective, it is therefore in the lessee’s interests to ensure that the data is removed prior to return of the equipment.
From the lessor's position, there are also various issues that come into operation surrounding whether it can and should erase the data itself if this has not already been done. It is usual and prudent for the lessee to be under a contractual obligation from the outset to ensure that any personal data is removed before the equipment is returned.
This article is a general summary only. If you would like advice on any of the issues raised by it, please contact us. Please bear in mind that the law may change from time to time and this article may not be (or have been) updated to reflect those changes. © afl Solicitors
Comments