The Government refers in its consultation paper to the types of
data that may be held under the scheme. "None of this information,"
it tells the public, "falls within the category of sensitive
personal data".
Sensitive personal data is defined in the Data Protection Act as
including data about an individual such as, among other things,
racial or ethnic origin; political opinions; religious beliefs;
physical or mental health or condition.
However, writing in the latest issue of Data Protection &
Privacy Practice, published by Masons today, Dr. Chris Pounder said
that the Government's reassurance with respect to sensitive
personal data cannot be relied upon.
"It is well known that the central database will include a
photograph of the ID card holder. If that photograph reveals a
certain medical condition, for instance, Downs Syndrome or
blindness, then clearly these photographic data are sensitive
personal data," said Dr. Pounder.
"Equally," he continued, "sensitive personal data would be
processed if photographic identity data were used in a racial
context – for example, if the authorities searched the database to
identify an Afro-Caribbean Fred Bloggs from, say, a Caucasian Fred
Bloggs".
These are not the only issues, however. In explaining how the
NHS will benefit from the ID card, John Hutton, Minister of State
at the Department of Health told MPs on the Home Affairs Select
Committee in April that the ID card will most likely have to be
presented "when you first register with a GP" and "in relation to
the first in a series of hospital appointments, outpatient
appointments or whatever". The Minister added that there was "an
argument too for periodic checks as well because a person's
residency and immigration details can change over time".
Dr. Pounder points to the draft ID Card Bill, which states that
the central registry database is to contain "access records". The
Bill states that these "access records" include "particulars of
every occasion on which a person has accessed an individual's entry
and of the person who accessed it".
He said: "If an individual with an ID card uses an NHS service
which requires a check on entitlement for free treatment, there can
be a record in the ID Card database which describes that check.
This would provide details of which NHS body holds the medical
records and, in the context of our analysis, of the circumstances
outlined by the Minister - in particular 'first outpatient
clinics'."
"The record of which clinic the patient attends, however, can
give inferential detail of the individual's medical condition.
After all, patients who attend at a sexually transmitted diseases
outpatient clinic or a pre-natal maternity clinic are not queuing
for a flu jab," he reasoned.
Dr. Pounder concluded: "On the spectrum of privacy issues
associated with the ID Card database, this issue is relatively
minor. It is the categorical assertion that there is 'no sensitive
personal data' which causes concern. It shows that the proposed ID
card scheme has not been informed by any serious understanding of
the data protection and privacy elements involved."
Footnote: Dr Chris Pounder was a consultant with Pinsent Masons until September 2008. He now runs a new training business, Amberhawk.
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
