It will become evident that what should have happened, is very different from what had actually happened.
It is clear that the ICO exerted utmost of effort to avoid mentioning CONFIDENTIALITY, CONSENT, STATUTORY RESTRICTIONS ON DATA HANDLING AND ARTICLE 8 OF THE HUMAN RIGHTS ACT. Perhaps he assumed that as these finer intellectual and ethical considerations are OUTSIDE OF HIS REMIT, he was in no way obliged to take them into consideration.
Moreover, the ICO chose NOT to refer to his own Statutory Code, the ‘Data Sharing Code of Practice’, where section 4 – Data Sharing and the Law, puts the onus on legality of disclosure on RBKC and the possibility that some data processing may be governed by, for example Statutory Restrictions, which are OUTSIDE OF THE DPA, or subject to CONFIDENTIALITY, to avoid F from taking his concerns to a new, unwelcome and perhaps embarrassing level.
Unhappy with RBKC’s obvious failure to comply with F’s May 2010 Amendment to his Information Sharing Agreement and their justification of disclosure of F’s information to the LGO, on 5th January 2012 F submitted a request to the ICO for his opinion in the matter of disclosure of his information without his consent or even knowledge.
At the time of his request, F was NOT aware what was actually disclosed by RBKC, that came to light on 11th February 2012. He was not even told by RBKC that any documents were sent to the LGO, let alone asked to provide his CONSENT, as required by his Information Sharing Agreement.
In his request F quoted portion of his May 2010 amendment to his ‘Information Sharing Agreement‘, clearly stating that his HIV+ status may have been disclosed without his CONSENT and/or knowledge.
F did not deem it necessary to tell the ICO about the instructions relating to the deletion of his information, as he thought that this was already taken care of. But perhaps some may have still remained on RBKC files.
In his ‘assessment’ dated 23rd January 2012, without asking any questions, or obtaining details of the actual information disclosed to the LGO, ICO’s Ms Sacha Powell merely endorsed RBKC’s justification and swiftly closed the case, wholeheartedly hoping that F would swallow the ‘assessment’, hook, line and sinker, shut up and go away.
Therefore, Ms Powell did not deem it necessary to offer F the opportunity to challenge the assessment, as she should have done.
Even if the ICO offered F the opportunity to challenge the ‘assessment’, there is NOTHING that the ICO could have done to provide REMEDY to F, whatever the outcome, as this is also outside of the ICO’s remit.
The DPA can only provides resolution in respect of the data controller, RBKC in F’s case. The ICO cannot compel RBKC to even offer an apology, let alone any equitable compensation for the distress and concern the matter may have caused him.
In this respect, F must avail himself of paragraph 13 of the DPA and go to court. Where, the Judge is in NO way obliged to consider the ICO’s ‘assessment’, as it has NO legal value. He would consider the matter anew, from a legal point of view, discarding anything stated by the ICO. It is after all, a mere ‘assessment’, stating whether RBKC had ‘likely’ or ‘unlikely’ complied with the DPA.
Considering the subject article, it is no surprise that Ms Powell chose to ignore the provisions of ICO’s ‘Data Sharing Code of Practice – section 14- Data Sharing Agreements, which states that ‘The ICO will take this into account should it receive a complaint about data sharing”., when considering F’s statement about his May 2010 Amendment to his Information Sharing Agreement.
Considering the fact that ALL information in service user’s file held by his Social Worker is deemed ‘CONFIDENTIAL‘, very much like GP’s file on his patients, it must be treated as such.
In F’s case some of his information is of NOT ONLY SENSITIVE, but ALSO of CONFIDENTIAL MEDICAL nature.
On seeing that F’s not only medical but also more seriously, his status HIV may have been disclosed, Ms Powell should have realised that a disclosure of a highly CONFIDENTIAL medical information may have occurred, as referred to ICO’s DPA complaints casework, page 5 – operational priorities – evidence of unauthorised disclosure of medical information and take further action. He should have perhaps asked RBKC for details of the information disclosed to the LGO, which were at that time unknown.
The extent of the disclosure came to light only on 11th February 2012, almost a month after the ICO’s ‘assessment’, when F received from RBKC the requested documents sent to the LGO.
It became clear that the 146 CONFIDENTIAL documents, were culled from F’s file, indiscriminately, without reason or purpose. This is confirmed by the ABSENCE of a document which should have listed all the documents, the authority for their disclosure without consent and the reason/purpose for their disclosure. This is required by the legislation, paragraph 6.22 of the Department of Health Guidelines – ‘Data Protection Act 1998 – Guidance to Social Services‘, and the ‘Caldicott Principles‘.
On 9th July 2012 ICO responded with his Case Review. Mr Gray merely reiterated Ms Powell’s earlier decision. He stated that the disclosure of his HIV status was in order, should RBKC merely believe, on a whim, acquired during a momentary loss of sanity, that the disclosure was NECESSARY, without any reference to governing legislation, guidelines and codes of practice. How very convenient for all of them.
On 11th May 2013, F asked Ms Powell to confirm that the ‘decision’ would have been same had she were to consider that the disclosed information was of ‘CONFIDENTIAL MEDICAL’ nature. Ms Powell chose NOT to reply.
The ICO certainly reacted swiftly and properly in September 2015 when an ‘accidental’ disclosure of email addressed of patients by a Soho HIV Clinic had occurred.
However, in F’s case, the ICO tried his hardest NOT to admit that at least breach of CONFIDENTIALITY had occurred; in addition a breach of the NHS Statutory Restrictions on data handling and Article 8 of the Human Rights Act.
ICO should have also realised that F’s Amendment was in fact a NOTICE in accordance with paragraph 10 of the Data Protection Act. ICO’s own ‘Paragraph 10 procedures‘ are clear what action should be taken.
It states that F was not obliged to refer to paragraph 10 in his Notice, nor provide it in a specific format, as it is undefined. It may be as simple or as convoluted as he might have felt fit. The onus to recognise the NOTICE was on RBKC and react accordingly.
In respect of the Notice, the ICO should have asked RBKC to provide a copy of its reply to F, which RBKC was legally obliged to provide, in accordance with paragraph 10-(3) of the DPA.
Had the above happened, he would have realised that RBKC breached their obligation and therefore committed an offence and subject to further action.
CONCLUSION: The true events described above endorse the comments made it the article referred to above.
Ms Powell should have informed F that if HIV relevant information was disclosed, he must address his concerns to the NHS, as this specific information is protected by NHS Statutory Restrictions on data handling, which are OUTSIDE OF THE ICO’s REMIT, as confirmed by ICO at a much later date.
It is clear that Ms Powell intentionally chose NOT to tell F that RBKC must follow the ICO’s ‘Data Sharing Code of Practice’, a Statutory Code, which in section 4 clearly address the responsibilities relating to disclosure. Had she done so, the matter may have taken an unexpected turn and create an embarrassing situation to RBKC, which the ICO tried so hard to avoid.
In this context it may be alleged that ICO may have been influenced by some unsavoury, unethical and amoral dark forces, to ensure that F’s concerns were stifled, and he ended up in a legal cul-de-sac and give up.. Hence the lack of opportunity to challenge the ‘assessment’.
In respect of the ‘case review’, taking the lead article into consideration, it would be utterly absurd to even think that Mr Gray, Ms Powell’s work colleague, would overturn or negatively comment on her ‘assessment’.
This effort, was utter waste of time, taking into consideration the nonsense cited by Mr Gray. Maybe, as result of his abysmal incompetence and a lapse of sanity, or just in order not to upset the apple cart and Ms Powell. Fortunately, Mr Gray’s ‘case review’ is as WORTHLESS as the original ‘assessment’. In fact, not worth the paper it is printed on.
Of interest is ICO’s reaction in 2015, when email addresses of Soho HIV clinic were compromised. The ICO took a dim view of the event, merely because the subscribers to the Clinic’s Newsletters were made aware of other subscribers’ email addresses. THAT’S ALL. IN NO WAY these addresses positively identified the individuals. It was merely because of the implied association between the the recipients and the HIV Clinic that the ICO thought that this ONLY may cause unnecessary anxiety and distress to the recipients.
Had the emails were sent by say, TESCO, the event would have passed by, unnoticed. There would not have been the frenetic media/public frenzy about the event.
Whereas, in F’s case, he could not care less that F’s identity, full details of his HIV diagnosis and clinical details of his condition were disclosed without F’s consent/knowledge and most importantly, without any legal obligation on RBKC to do so.
It is distressing to see that the ICO failed to take account of F’s Information Sharing Agreement, which not only requires that RBKC seek his CONSENT, but also that they should have removed any HIV related information.
Information, RBKC were NOT entitled to have in the first place.
Bottom line: The ICO must NOT be trusted to provide credible ‘assessments’. Thank God that they are worthless, having NO legal gravitas whatsoever. Sad, but true.