Surprising High Court ruling on privacy

[Nicholas Bohm]

At 02:47 PM 6/13/1999 +0100, Ross Anderson wrote:

>this list has from time to time touched on medical privacy, especially

>in the context of GCHQ's determination to prevent encryption on the

>NHS wide network or at least impose escrow.

>

>Recently there has been an extremely surprising judgment in the High

>Court, which may end up having the opposite effect to that which

>appears to have been intended by a no doubt well meaning judge:

>

>

> >http://www.rpsgb.org.uk/55.htm

> >

> >Prescription data sale ruled unlawful

> >

> >The [English] High Court has ruled that pharmacists cannot lawfully

> >sell anonymous prescription data because to do so involves breaching

> >patient confidentiality even though no-one can be identified.


This does seem an odd result.  55.htm says in its report:


>>>>

<excerpt>For Source Informatics, Mr Michael Beloff, QC, said that rare
drugs and rare drug combinations would be excluded from the company's
scheme and that there was no danger of patients being identified. 
However, the judge said that the company had recognised that there was a
remote risk that certain information of a rare kind might conceivably
enable a patient to be identified.  Although he agreed there was no
rational basis for such concerns, he said that systems did not always
work perfectly and that a risk, however small, remained.  "Pharmacists
provide a service to the community as a whole," he said.  "It is a matter
of real importance that they retain the trust of the public.  For them to
breach their patients' confidence for their personal gain does not seem
to me to be acceptable unless it could be said that the breach of
confidence is itself in the public interest."

</excerpt><<<<<<<<


I could not find a report of this case on the Court Service Website, and
it would be useful to see the full judgement in order to be sure what the
reasoning is.  The report above suggests that a risk of individual or
system error leading to a failure of the anonymisation process was the
basis for the decision.  But it seems strange that a risk characterised
as "remote" and providing "no rational basis for such concerns" should
have been decisive.


It is worth noting that this was a challenge by judicial review of DHSS
guidelines, not a complaint by an individual that there had been any
breach of confidence, so the argument was entirely on the basis of
hypothetical facts.  It is of course very desireable that judges should
be so ready to recognise that computer systems are not infallible, and be
so tenderly solicitous of remote risks of breaches of confidence, even if
this leads to an unhappy result.  I cannot help wondering whether an
action by an individual against a pharmacist would have received the same
sympathy as this attempt to challenge Government guidelines.


One must hope that if the Court of Appeal or the House of Lords take a
different view of the result, it will not undermine either the importance
of medical privacy or a realistic approach to the risks of error!


Regards,


Nicholas Bohm


Salkyns, Great Canfield,

Takeley, Bishop's Stortford CM22 6SX, UK


Phone		01279 871272	(+44 1279 871272)

Fax		01279 870215	(+44 1279 870215)

Mobile   	0860 636749  	(+44 860 636749)


PGP RSA 1024 bit public key ID: 0x08340015.  Fingerprint:

9E 15 FB 2A 54 96 24 37  98 A2 E0 D1 34 13 48 07

PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF.  Fingerprint:

5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF