independent

Goodbye, Data Protection! Hello, Privacy Act?

Peter Jenkins

What are the implications, if any, for therapists of the recent phone-hacking scandal? Peter Jenkins takes a satirical, counter-factual perspective, on the surprising outcome that never actually happened…

The ill-fated 1998 Data Protection Act (DPA) could probably lay claim to very few friends on Facebook, and to even fewer followers on Twitter. All the same, its rapid demise in late 2012, in the wake of the phone-hacking scandal, took most informed observers by complete surprise. The legislation was, notoriously, acknowledged even by its own guidance as being ‘complex, and, in places, hard to understand’. One senior judge had described the Act itself as ‘inelegant and cumbersome’. An uneasy compromise between earlier case law and a complex European Directive, the resulting law and guidance was dense, opaque and subject to a steady drip of corrosive adverse publicity (see below).

In fairness, much the same could be said of any other piece of legislation exposed to the harsh glare of media criticism. What was different in the case of the DPA was the pressure on the government to be seen to respond to multiple alleged breaches of privacy in the breaking wave of the phone-hacking scandal. Far from being the ‘iron fist in a velvet glove’ originally promised by Elizabeth France, first Information Commissioner, many felt that the DPA had signally failed to take firm action in the case of the media’s growing trade in illicit personal data. A government never keen on regulatory agencies, saw its opportunity, and axed the unfortunate Information Commissioner’s Office (ICO), along with the PCC, FSA, CQC, HSE, OFSTED and other acronyms, in the brutal ‘bonfire of the quangos’. The new doctrine of full-throated ‘Free Market Self Regulation’ was rapidly put together – the market alone would now reward good practice and punish unethical or ineffective performance, right across the board, ranging from schools, to hospitals, to record-keeping.

Impact of WikiTherapy
However, the fresh broom of free market reform barely had time to take effect before it faced its first real challenge. Few expected that WikiTherapy, as a specialist and somewhat obscure website, would have such a major and devastating impact on the reputation of senior politicians. Its leaks of the private therapy records of leading government figures fed into a growing global demand for confessional literature. Whether they concerned the grandiosity of foreign ministers, or the obsessive-compulsive behaviours of economic strategists, the leaks threatened to destabilise the government’s already fragile reputation for good governance. It moved rapidly to make the disclosure of therapy secrets of government figures illegal, unless able to meet the test of being ‘in the substantial public interest’.

Again, only adroit lobbying by UKCP kept the ball in play. Some surgically effective amendments, in a late-night sitting, removed the offending term ‘substantial’, which successfully protected therapy secrets, but only those of the rich and powerful. Via the back door of parliamentary lobbying, the psychotherapy profession suddenly ended up with the elusive Holy Grail of full therapist legal privilege, having previously failed to achieve the lesser goal of statutory regulation. At a stroke, psychotherapists were now free from any requirement to reveal professional records to the courts, or to give evidence in court against their will. As one leading psychotherapist ruefully remarked: “It’s a bit like bouncing a cheque, and then winning the Lottery…”.

‘Kid chipping’ and the Eye of Sauron
Exactly how the Therapeutic Privacy Act 2012 will pan out is hard to say at this early stage of proceedings. It seems clear that it is already under pressure from the implications of ‘kid chipping’, or the widespread use of Computerised Home Implant Protection Systems. Hugely popular, initially as a means of protecting exotic or domestic pets, the vast majority of children have now been ‘chipped’ as a protective measure by parents – indeed, failure to provide chips for one’s children is increasingly viewed as almost a safeguarding issue by the authorities. Head teachers have enthusiastically backed this measure, likening it to the Eye of Sauron, which will instantly identify the whereabouts of truants, or those engaged in other anti-social behaviour. Sceptical critics have retorted that the Eye of Sauron was, in fact, remarkably ineffective in actually locating Hobbits, who could apparently hide from hostile gaze under a large bush, or even a small rock, and is unlikely therefore to mitigate risky behaviour by children in any serious manner. The implications for infringing the privacy rights of children attending school-based therapy seems to have been conveniently overlooked in the enthusiasm for developing wider surveillance of young people. Given that attending counselling is clearly established as a privacy matter in law under the earlier Campbell ruling of 2002, a principle now fully endorsed by the TPA 2012, the implications for therapy, for both adults and children, are left dramatically unclear for the interim. A full public report from the newly appointed ‘Privacy Czar’, Max Mosley, is expected imminently.

Obituary of the DPA: Final Comment?

Given the rapid and unforeseeable recent demise of the DPA described above, it is perhaps unfair to dwell too long on its more obvious shortcomings. One prominent critic, Simon Davies of Privacy International, has suggested that the Act “was written with the express intention of ensuring that data protection administration was weak, because this government saw data protection as a potential roadblock to profitable commerce” (The Guardian, 5/4/2008). Whether all would agree with this analysis is uncertain; what is more likely is that few therapists will mourn the passing of the old DPA given its replacement by the prospect of therapist privilege in the form of the new Therapeutic Privacy Act 2012.

Data Protection Act 1998

The Data Protection Act 1998, was originally designed to regulate the handling of all personal data, via what was termed, in a phrase worthy of Lady Bracknell, a ‘compendious definition’ of information, with few obvious loopholes. Originating from an EC Directive, it also incorporated earlier case law, following the successful case by Graham Gaskin for access to his social work files whilst in care. The result was a complex, inelegant piece of legislation, ambitious in scope, but complex in its actual detail, particularly regarding psychotherapy records – were data files ‘assessable’, or just merely ‘accessible’? Its original, fairly modest, intentions were subject to successive ‘mission creep’ as the scope of the Act was seen to extend to include even random collections of paper files, as well as to electronic data in all its numerous forms. The Durant case of 2003 signalled the reining back of the Act’s remit by the courts, effectively taking most manual (or handwritten) therapy files outside the scope of DPA regulation. However, the Freedom of Information Act 2000 then brought paper files back into play, if in the form of ‘unstructured files’ held by public authorities – leading to yet more complexity in the guidance and interpretation.

‘Blaming the Act’ became almost standard practice for large organisations needing to shift blame away from their own decision-making processes, arguing the need to preserve confidentiality at all cost. British Gas was criticised by the Information Commissioner for citing the Act as the reason for not contacting social services when disconnecting the gas supply of an elderly couple: “It is ridiculous that organisations should hide behind data protection as a smokescreen for practices which no reasonable person would ever find acceptable” (The Guardian, 14/4/04). In the Soham murder case, it emerged that police authorities had failed to share information about Ian Huntley’s predatory sexual activity with under-age girls, again on the grounds of data protection constraints. However, their arguments were decisively rejected by Lord Bichard in his Inquiry Report, pointing instead to “very serious failings in the senior management of Humberside police”.

Unlawful trade in personal data
Perhaps the greatest weakness of the DPA was in terms of its lack of robust enforcement, despite the early promises of Information Commissioner Elizabeth France. For the period 2000-2006, the ICO estimated that around 100,000 offences under the Act had taken place involving illegal access to personal data yet, in the same period, there were only 22 successful prosecutions. The ICO’s own research, via Operation Motorman, revealed “an unlawful trade in confidential personal data” involving security firms, banks, insurance companies, debt tracing agencies and the media. Yet, despite what has since emerged about the apparently industrial scale of alleged phone hacking, the only outcome was to persuade the Press Complaints Commission to issue a Note “reminding the Press of its data protection obligations”.

The full significance of the scale of the illegal trade in personal data revealed by Operation Motorman, and the failure of the ICO to act on this, only saw the light of day buried in the small print of the Leveson Inquiry. Despite having uncovered widespread, serious potential breaches of the DPA, the ICO appeared to conclude that discretion was the better part of data protection and took no action. Alexander Owens, lead investigator for Operation Motorman, claimed that he was “warned off prosecuting the press, because they were ‘too big’ to take on” ( The Guardian, 29/3/2012), a claim later denied.

Peter Jenkins is Senior Lecturer in Counselling at the University of Manchester and author of Counselling, Psychotherapy and the Law (Second edition, Sage, 2007).

References
Bichard, M. (2004) The Bichard Inquiry Report. HC 653. London: The Stationery Office
Information Commissioner’s Office (2006) What Price Privacy? The Unlawful Trade In Confidential Personal Information. London: The Stationery Office

Image: Bound to Make the Connection by jaxxon