Data Protection Act: public services are confused as 7 July bomb aftermath showed

The problems faced by agencies trying to contact survivors of the 7 July London bombings have highlighted confusion over data protection and how it inhibits the work of social care agencies. Mark Hunter investigates the source of the problem

About 4,000 people were directly caught up in the 7 July terrorist attacks in London last year. It is estimated that as many as 1,000 of these people and 2,000 of their children were likely to have suffered psychological trauma as a result of their experiences.

Yet, when the NHS Trauma service tried to instigate an outreach programme to offer counselling and support, it faced severe difficulties in identifying and contacting survivors. Many of the contact details and personal information collected in the immediate aftermath of the bombings had been lost or deleted for data protection reasons. Much of the information that did remain was deemed out of bounds to the trauma team due to data protection legislation.

When the review conducted for the London Assembly by Richard Barnes into the capital’s response to the bombings asked why such vital information was withheld, it was told that while the Civil Contingencies Act 2004 allows emergency services to access information about people involved in major incidents, this privilege does not extend to mental health services.(1)

The trauma service was not alone in struggling to access information about victims of the bombings. The 7 July Assistance Centre, which organises follow-up support for survivors and the bereaved, and the Barnes inquiry have faced similar problems in contacting survivors.

“When we tried to contact survivors ourselves to ask them to contribute to our review, we were surprised to find that there was no definitive list of survivors in existence,” states the Barnes review.

Thus the 7/7 bombings can be added to a growing list of cases where protection and privacy legislation presents a barrier (or at least a perceived barrier) to the sharing of vital information between agencies. Previous examples include the death of Victoria Climbie, whose inquiry concluded that “the free exchange of information is inhibited by the Data Protection Act 1998, the Human Rights Act 1998, and common law rules on confidentiality”; and the Soham murders in which Humberside police deleted vital information on murderer Ian Huntley because they wrongly believed that to keep it would contravene the Data Protection Act.

It is worth pointing out that in the Soham tragedy, and possibly the 7/7 bombings, it is not necessarily the legislation that is at fault. Rather it is how organisations and front-line professionals interpret the legislation and act accordingly. The reality is that many front-line staff do not fully understand the laws governing information sharing. They do know, however, that there are severe financial penalties for divulging the wrong information and so may act overcautiously.

The Data Protection Act 1998 came into force on 1 March 2000. It replaced the previous data protection act of 1984 and was brought in to comply with a European Community directive to protect individuals “with regard to the processing of personal data and the free movement of such data”. Under the act, all organisations that collect, hold or process personal information must ensure that they comply with eight key principles.

The data must be:

  • Fairly and lawfully processed.
  • Processed for limited purposes.
  • Adequate, relevant and not excessive.
  • Accurate.
  • Not kept longer than necessary.
  • Processed in accordance with individuals’ rights.
  • Kept secure.
  • Not transferred to countries outside the European Economic Area without adequate protection.

    But the processing of “sensitive personal information” of the sort that social services or health professionals collect is also regulated by a set of principles governing such issues as consent, legal exemptions and disclosure of information in the public interest. The complexity of these principles and the impenetrable legal jargon in which they are written may be the source of the confusion surrounding the act’s application.

    To add to the confusion, a raft of policy directives designed to encourage interagency co-operation and data sharing soon followed the Data Protection Act. It seemed that public service professionals were being told to protect their clients’ confidentiality while simultaneously allowing increased access to their personal details.

    It was not long before the government was forced to offer detailed guidance on how public service professionals could properly share information while remaining within the law.

    In November 2003, the Department for Constitutional Affairs admitted that “legal uncertainty over what is, and what is not, permissible may be inhibiting data sharing by local authorities. Similarly, some government departments have been inhibited from setting up new data-sharing initiatives because of doubts as to what their legal powers allow them to do”.

    A year later, government constitutional affairs secretary Lord Falconer was describing the Data Protection Act as “almost incomprehensible” and promising plans to simplify it. However, a report published last year by the Social Exclusion Unit identified the Data Protection Act’s restrictions, along with a perceived lack of guidance from government, as the main barrier to information-sharing between agencies tackling social exclusion.(2)

    And in March this year, the Cabinet Office admitted in a report on data sharing between adult social care and NHS staff that a “persistent confusion exists among practitioners over the interpretation of the Data Protection Act and its relationship with the common law duty of confidentiality, and other legislation such as the Human Rights Act, Health and Social Care Act 2001 and other data-sharing legislation.(3)

    “Such confusion often relates to what information can be shared and the level of detail permissible,” says the report, which goes on to promise that a single information-sharing protocol for adult social care and NHS staff will be developed by December this year.

    Given the plethora of guidelines and protocols already issued by various different government departments and professional bodies on data sharing, much of which is inconsistent, a single, unifying protocol does seem like a sensible step forward.

    However, according to David Johnstone, director of adult and community services in Devon and chair of the Association of Directors of Social Services standards and performance committee, advice directed at front-line professionals is all very well, but what is really required is a cross-departmental commitment at government level to ensure that data sharing becomes a reality.

    Johnstone believes it is wrong simply to blame the Data Protection Act, and particularly front-line professionals, for the lack of progress being made on interagency sharing of information.

    With government departments offering conflicting advice and progressing at varying rates on initiatives such as the single assessment process, it is not surprising that front-line professionals sometimes find it difficult to share information.

    Certainly, Johnstone says, the slow progress cannot be blamed on a lack of commitment at local level or on resistance to data sharing by service users.

    “Every single survey shows that service users assume and fully expect that we do share information,” he says. “Nobody likes the nonsensical situation where you have people being asked the same questions again and again by a whole range of different professions.”

    The problem is, says Johnstone, that government data-sharing initiatives lack co-ordination, with different departments often seeming to act independently of one another. “We are not being given sufficient lead by government departments. We get a lot of talk but when it comes to putting something into practice then too often it’s left to local government and to the front-line

    “It’s not the legislation that’s the problem, and it’s not a technical problem. It’s perfectly possible to protect confidentiality and allow information sharing at the same time. It’s a cultural issue and the lead needs to come from the Cabinet Office. But at the moment it’s doing far too little, far to slowly and far too bureaucratically.”

    (1) Report of the July 7 Review Committee, London Assembly, 2006
    (2) Inclusion Through Innovation: Tackling Social Exclusion Through New Technologies, SEU, 2005
    (3) Making a Difference: Safe and Secure Data Sharing Between Health and Adult Social Care Staff, Cabinet Office, 2006

  • More from Community Care

    Comments are closed.