1. The Information Commissioner has responsibility for promoting and enforcing the Data Protection Act 1998 (DPA) and the Freedom of Information Act 2000 (FOIA). He is independent from government and promotes access to official information and the protection of personal information. The Commissioner does this by providing guidance to individuals and organisations, solving problems where he can, and taking appropriate action where the law is broken.

2. The Commissioner welcomes the opportunity to submit evidence to the Home Affairs Committee's inquiry into firearms control and recognises the importance of developing effective and proportionate measures to prevent gun violence and ensure the highest levels of public safety. The Committee has identified increased information sharing as something which may help achieve this. The sharing of information between the police, Prison Service and medical profession inevitably engages data protection and privacy concerns and it is important that these are considered. It is these aspects of the Committee's inquiry on which the Commissioner is submitting evidence He is particularly interested in the proposals to improve information sharing between medics and the police in respect of gun licensing.

PROPOSAL TO SHARE INFORMATION BETWEEN THE POLICE AND MEDICAL PROFESSION.

3. The issue of the sharing of information between medics and the police in respect of gun licensing has recently come to the Commissioner's attention following an enquiry from the British Association for Shooting and Conservation (BASC). The BASC were seeking advice on the data protection compliance implications of a proposal which the Commissioner understands was made jointly by the Association of Chief Police Officers (ACPO) and the Independent Police Complaints Commissioner (IPCC).

4. That proposal was for the individual health records of all NHS patients holding shotgun or firearms certificates to be electronically "tagged". If the GP believed that the mental or physical health of a "tagged" patient presented a risk to the safety of the patient or the public he or she would be in a position to alert the police.

5. The Commissioner understands that the proposal was also subsequently discussed by ACPO and the British Medical Association (BMA). The BMA has since, in July 2010, published guidance for its members on certifying patients' fitness to hold firearms.

DATA PROTECTION ISSUES.

6. The sharing of personal data about individual patients between medics and the police in respect of gun licensing and in particular the idea of "tagging" the health records of shotgun and firearms certificate holders engages the First, Third and Seventh Principles of the Data Protection Act 1998 ("the Act").

7. The First Principle of the Act requires, amongst other things, that personal data shall be processed fairly and lawfully. Processing personal data fairly means ensuring, amongst other things, that the individual to whom the personal data relates is made aware of the purpose or purposes for which the personal data is to be processed and is provided with any further information which is necessary to enable the processing in respect of that individual to be fair.

8. To process personal data lawfully a data controller must comply with all the relevant rules of law whether derived from common or statute law, relating to the purposes for which the personal data is or is to be processed. This would include, for example, the provisions of Article 8 of the Human Rights Act 1998, the right to respect for private and family life.

9. According to the Home Office statistical bulletin for 2008-09 published on 25 March 2010 there were 138,728 firearm certificates and 574,946 shotgun certificates issued in England and Wales in the year ending 31 March 2009. These figures do not show how many individuals hold both firearms and shotgun certificates however there could be up to 713,674 people whose NHS health records would be affected if the tagging proposal was adopted. According to the BASC the proposal to tag individual health records was made in response to 11 incidents involving firearms over a period of five to six years where it was felt that the police would have benefitted by having information about the subject's medical or mental state, and that this information might have helped to prevent those incidents.

10. In the Commissioner's view the proposal raises a question as to whether the attachment of a tag to the health record of every NHS patient who holds a shotgun and/or firearms certificate is a fair and proportionate way of addressing this matter.

11. The existing firearm and shotgun certification procedures require applicants to give consent for the police to approach their GP when necessary to obtain factual information about their medical history. The applicant's consent is not time-limited and the police can use it to approach the applicant's GP at any time during the lifetime of a certificate. Under the present arrangements this authority is used where doubts or concerns about the applicant's medical history require more detailed information to enable a final assessment of an application to be made or if there are any concerns about the applicant's continued fitness to possess firearms during the lifetime of a certificate. In either situation the GP is only asked to provide factual information on an applicant's medical history and is not asked to provide an opinion on any of the medical information or to endorse or oppose an application.

12. When dealing with cases where there are any doubts or concerns about the applicant's fitness to own firearms, either at the outset of an application for or during the life of a certificate, it appears that the existing procedures are being applied in a fair and proportionate way. By comparison, tagging the health records of up to 713, 674 certificate holders to deal with what is a relatively small number of incidents, serious though these may well have been, appears to be at odds with this approach. This raises questions as to whether any thought has been given to the possibility of maintaining the same fair and proportionate approach whilst adapting and improving the existing procedures, and the ongoing consent these provide, to deal with such incidents.

13. Also in this context the Information Commissioner would be interested to know whether any consideration has been given to the carrying out of a Privacy Impact Assessment (PIA) into the proposals to tag the health records of so many individuals. The Cabinet Office Data Handling Review of 2008 mandated all central government departments and agencies to carry out a PIA at the planning stage of all new initiatives and projects to ensure that the use and sharing of personal data was both justifiable and proportionate. This is an essential requirement to ensure that appropriate safeguards are in place and that personal data is not disclosed arbitrarily but only where it is fair and proportionate to do so. Following the PIA process will highlight all these issues. It may also help in deciding whether and how the existing certification procedures could be adapted and improved to deal with the type of incidents referred to above without the need for the wholesale tagging of large numbers of individual health records.

14. The Third Principle of the Act states that personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. The Act defines a health record as "any record which consists of information relating to the physical or mental health or condition of an individual…….made by or on behalf of a health professional in connection with the care of that individual". The Act also defines medical purposes as including "the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services".

15. In its recently published guidance on Firearms the BMA refers to the tagging of health records and says "In the BMA's view such a system can be appropriate, provided it is used as part of the ordinary care given to a patient". It is unclear to the Information Commissioner how personal data in the form of a tag indicating that the patient to whose health record it is attached holds a shotgun or firearms certificate, has any relevance to the medical purpose or purposes for which the personal data in the health record are processed. In the circumstances it appears unlikely that the proposed tagging arrangement would comply with the relevance requirement of the Third Principle of the Act. It follows that if the personal data used to operate the proposed tagging system is not relevant then it is also likely to be excessive.

16. The Commissioner is also concerned that the proposed tagging arrangements could be seen as creating a significant precedent which could result in GPs coming under pressure to attach tags to health records for other non-medical purposes such as whether an individual has been convicted for or has a history of knife crime or violent crime. This may risk changing the character of medical records and broaden the base of those who may seek access to individuals' health care records for non medical reasons.

17. The Seventh Principle of the Act states that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. The Act goes on to say that the measures taken must ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the Seventh Principle, and the nature of the data to be protected. The data controller must also take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.

18. Currently the personal data on individuals who hold shotgun and/or firearms certificates is held securely by the police. This information is not accessible to anyone outside the police service and is only shared throughout the service via the National Firearms Licensing System (NFLMS) which is linked to the Police National Computer (PNC). NFLMS flags up a "warning" when a certificate holder is checked on the PNC by any police officer. The Information Commissioner is not aware of any evidence to show that the present security arrangements for this personal data are unsatisfactory or have ever been breached.

19. Whilst the Data Protection Act 1998 does not prevent the appropriate sharing of personal data it does require data controllers to take measures to ensure a level of security appropriate to the harm that might result from the personal data being accessed unlawfully or without proper authorisation. Clearly information about individuals who hold firearms and/or shotguns and where these are held could be extremely harmful should it fall into the wrong hands.

20. Whilst the tagging proposals refer only to the GP and the information sharing proposals refer only to "medics" it is not only the GP or medics who have access to individual health records and the personal data within them. Although, under the terms of the Data Protection Act 1998 GP practices are individual data controllers for the health records they hold many other employees within the GP Practice and other, wider parts of the NHS can also have access to the records although with some staff members this can be limited to certain parts of the record depending on their particular job. The ongoing development of electronic patient records will also make individual health records more widely accessible across the whole of the NHS and will eventually provide the individual patient with "on-line" access to some or all of his or her own health record.

21. Although there is a long standing and well established culture of patient confidentiality and information security running throughout the NHS, the risk of inappropriate disclosure and use remains a real one. For example at present 30% (345) of all data security breaches self-reported by organisations to the Information Commissioner's Office are from within the NHS. Whilst this figure may in part may reflect those organisations wish to be open about their difficulties and confirm the remedial measures they have taken it gives an idea of the potential vulnerability of existing medical records. The Commissioner is concerned that the process of sharing the recording of personal data with the NHS relating to many hundreds of thousands of individual patients who hold shotgun and firearms certificates is as secure as possible and at least as secure when held by large numbers of individual data controllers within the NHS as it when held by the Police.

22. The Commissioner also believes that if a decision is made to link these two different sets of personal data there is a real risk of matching errors occurring. In addition to basic name, address and date of birth details, health records can also be cross checked to ensure an accurate match by using the patient's individual NHS number and other clinical information. As far as the Commissioner is aware, other than basic name and address etc, there are no such individual cross matching points between firearm certification records and health records. Given that any tagging exercise could involve in excess of 700,000 records it is likely that there will be a significant number of individual cases where matching errors will occur. Such mis-matches could cause distress and damage to the individuals affected and possible risks to the public as a whole.

INFORMATION SHARING WITH THE PRISON SERVICE

23. Whilst the sharing of relevant information between the police and Prison Service also engages concerns about data protection compliance, such information sharing already takes place as both operate within the law enforcement community. This is consistent with common interests over the release of convicted offenders back into the community. Provided the sharing of information is limited to that which is necessary to protect the public, the offender and others that may come in to contact with them then the same range of data protection concerns do not arise.

CONCLUSION

24. Despite the data protection compliance concerns that he has highlighted in this submission the Commissioner recognises and accepts the importance of developing effective and proportionate measures to prevent gun violence and ensure the highest levels of public safety. An investigation into whether the existing certification procedures and the ongoing consent that these provide can be adapted and improved to provide the police with some sort of advance warning of possible serious incidents might provide a possible way forward here. Whatever direction this matter takes the Commissioner remains ready to be involved in the continuing debate and to provide advice and assistance to ensure that any changes comply fully with the requirements of the Data Protection Act 1998. If new legislation is required to effect wider information sharing he would expect to be consulted and in any event expects that this will be subject to the a rigorous level of parliamentary scrutiny and debate before it becomes law.

26 August 2010