Joint Committee On Human Rights Fourteenth Report

2 Data protection and the Human Rights Act

Data protection and human rights

8. Personal data (which includes an individual's name, address, date of birth and national insurance number) is protected by Article 8 of the European Convention on Human Rights as part of an individual's private life. In the context of medical records, the European Court of Human Rights has stated:

The protection of personal data, particularly medical data, is of fundamental importance to a person's enjoyment of his or her right to respect for private and family life as guaranteed by Article 8 of the Convention. Respecting the confidentiality of health data is a vital principle in the legal systems of all the Contracting Parties to the Convention. It is crucial not only to respect the sense of privacy of a patient but also to preserve his or her confidence in the medical profession and in the health services in general. The domestic law must afford appropriate safeguards to prevent any such communication or disclosure of personal health data as may be inconsistent with the guarantees in Article 8 of the Convention (MS v Sweden (1997) 28 EHRR 313, para. 41).

The same comments could be made in respect of personal data of any kind held by any organ of the State.

9. The obligation to provide personal data, the release of personal data without consent, and the collection and storage of personal data all amount to interferences with an individual's right to respect for his or her privacy. Whether or not such interferences amount to a breach of Article 8 will depend on an assessment of whether the disclosure was "in accordance with the law", necessary in a democratic society for a legitimate aim (in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others), and proportionate. The adequacy of the safeguards in the overall regime is central to this assessment.

10. In its written memorandum, the Information Commissioner's Office noted that the Data Protection Act is derived from the European Data Protection Directive, which itself has its origins in the European Convention on Human Rights. It explained that the Data Protection Act provides practical guidance to public bodies on how to meet their obligations under the Human Rights Act to respect personal data. "It is fair to say", it concluded, "that there is a mutually supportive interplay between human rights, data protection and the work of the Information Commissioner".[12]

11. The right to respect for private life in Article 8 ECHR imposes a positive obligation on the State to ensure that its laws provide adequate protection against the unjustified disclosure of personal information. The Data Protection Act 1998 is an important part of the detailed implementation of that positive obligation, but its mere existence does not exhaust the obligation on the State to provide adequate safeguards. The Data Protection Act must itself be interpreted so as to be compatible with Article 8, and it may still be necessary for legislation which authorises the disclosure of personal information to contain detailed provisions circumscribing the scope of that power and providing safeguards against its arbitrary use.

Data sharing

12. Data sharing between public sector bodies is becoming increasingly common. In our legislative scrutiny work, we often encounter provisions to enable Government departments and other bodies to share data for a wide variety of purposes. Table 1 summarises the provisions we have commented on in recent years.[13]

13. In its written memorandum, the Information Commissioner's Office said that "the unnecessary or disproportionate sharing of personal information can undoubtedly have a significant negative impact on individuals". It drew attention to public concern about the mismanagement of sensitive personal information, particularly in relation to health records, tax returns, police records and adoption papers. [14] It went on to say, however, that:

It is wrong to see the sharing of personal information as necessarily a bad thing, one that can necessarily be opposed on data protection or human rights grounds … The issue … isn't whether there should be more or less information sharing, but rather what information is being shared, why it's being shared, who has access to it and what the effect of this is.[15]

14. We agree that data sharing is not, in human rights terms, objectionable in itself. Indeed, the sharing of personal data may sometimes be positively required in order to discharge the State's duty to take steps to protect certain human rights, such as the right to life,[16] and it is also in principle capable of being justified by sufficiently weighty public interest considerations. However, the sharing of personal data will inevitably raise human rights concerns, and the more sensitive the information the stronger those concerns will be. Government must show that any proposal for data sharing is both justifiable and proportionate, and that appropriate safeguards are in place to ensure that personal data is not disclosed arbitrarily but only in circumstances where it is proportionate to do so.

12   Appendix 2, paragraphs 2, 3, 16. Back

13   See paragraph 16 below. Back

14   Appendix 2, paragraph 5. Back

15   Ibid, paragraph 6. Back

16   E.g. in Edwards v UK the failure to ensure that information was passed from the police to the prison authorities, about the risk posed by a mentally ill detainee, contributed to the finding by the European Court of Human Rights that the UK was in breach of the positive obligation to protect life when that detainee killed his cellmate. See also Nineteenth Report, session 2003-04, Children Bill, HC 537, HL Paper 161, paragraphs 98-117. Back

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2008
Prepared 14 March 2008