We welcome Home Office Minister John Hayes’ statements that additional protections for medical records will be added to the Investigatory Powers Bill.
He said: “I am prepared in this specific instance to confirm that the security and intelligence agencies do not hold a bulk personal dataset of medical records. Furthermore, I cannot currently conceive of a situation where, for example, obtaining all NHS records would be either necessary or proportionate.”
Additionally, because he “felt that it was right in the national interest, with the benefit of the wisdom of the Committee” … “I feel that the public expect us to go further” than currently on the face of the bill, because he “cannot bind those who hold office in the future, so it is important that we put additional protections in place.”
Having agreed in principle that there should be “additional protections”, there are multiple ways to implement them.
For these purposes, it is sufficient to consider that Bulk Personal Datasets are used where the identities of the individuals being targeted are unknown, and you need to search by attributes across whole databases rather than names. Think of it like searching your phone book by phone number, rather than by name.
Existing mechanisms to get this information
As a Home Office Minister speaking in Committee, there is no reason he would be aware of the existing gateways available for doing precisely the things he was thinking about needing to be able to do in rare circumstances, for the exceptional reasons he was thinking they may need to be done.
In the course of an investigation, especially in a terrorism incident, the police can ask the NHS questions. The police or agencies won’t be able to go fishing for answers, they can ask the relevant hospitals questions, and the hospitals can take a view on whether it is appropriate to answer based on full details. There can be a process followed which can command public confidence.
Doctors are permitted to override the common law duty of confidentiality and release such information to the police when they “believe that it is in the wider public interest,” under GMC guidance. After a terrorism event, it is inconceivable they would not do so. When investigators know what to ask for, they have the ability to use existing processes for those individuals’ details on a targeted basis, should they be relevant.
There is existing guidance on this, and if it needs to be updated, that does not prevent stronger protections on bulk access to medical records being added to the the Bill.
Even if there is only a “risk” that those individuals may have been involved, or may be involved in terrorism in future, the duty of confidence for providing information to the Agencies was lifted in part 5 of the 2015 Counter Terrorism and Security Act.
The Home Office has lowered the bar of confidentiality protection dramatically over the last several years. Unamended, these powers remove it entirely.
What the protection must cover
The committee rightly identified that there must be protections for “for material relating to “patient information” as defined in section 251(10) of the National Health Service Act 2006, or relating to “mental health”, “adult social care”, “child social care”, or “health services””. All sections of that are important, although there are different ways to put them together.
It is insufficient to simply exempt data held by DH/NHS data controllers, as that does not cover social care, nor does it cover data with data processors contracted to the NHS (which is a different loophole of concern to the ICO).
The Agencies should also never be permitted to use covert means against the NHS or health professionals to acquire patient information.
Should the Agencies create a scenario where there has been a secret incident where medical professionals are not allowed to know the characteristics of a suspect, and that search can only be done at some future point by the Agencies, rather than now by the medical staff, then some mechanism may be appropriate. This seems highly unlikely, but the Home Office may be able to make such a case to the satisfaction of both Houses of Parliament. We invite them to do so.
In that scenario, it is likely to be necessary to have multiple levels of protection. A general ban on warrantry for such data, except where the data responsible Secretary of State has submitted to the Judicial Commissioner an approval for its handover and retention for a defined period for a defined investigation, and no others.
In effect, this removes from the Agencies permission to acquire the data, but retaining the ability for the Secretary of State elsewhere in Government to hand it over should they believe it appropriate. The Commissioner and Intelligence Services Committee should then be required to be notified that this has been approved, and state on how many individual level records were affected in any annual report covering the period.
Whatever the Home Office come up with, it must be robust and be seen to be robust. We remain happy to discuss this further with all parties.