On 1 March 2018, Mrs Justice Yip granted Migrants’ Rights Network (MRN) permission to apply for judicial review of a memorandum of understanding (MoU) under which non-clinical patient data is shared between NHS Digital and the Home Office for the purposes of immigration enforcement.

Overview

MRN is challenging the MoU on the basis that it breaches privacy and data protection rights and discriminates against vulnerable groups of people. It is argued that the MoU undermines the public interest in doctor-patient confidentiality, deterring migrants from registering for healthcare, with serious and potentially life-threatening consequences.

At a permission hearing MRN pursued five grounds:

  • The information sharing provisions under the MoU breach privacy rights because they contain inadequate safeguards and are disproportionate;
  • The MoU directly discriminates against people with uncertain immigration status;
  • The MoU indirectly discriminates against disabled and female migrants;
  • The Secretaries of State for Health and the Home Department are in breach of public sector equality duty by failing to consider the equality impact of the MoU on vulnerable groups;
  • NHS Digital is in breach of its duty to comply with the data protection principles.

Mrs Justice Yip granted permission on all grounds. In doing so, she rejected the argument that a review by Public Health England, due to take place in January 2019, would be a suitable alternative remedy. In recognition of the wider public importance of the challenge, she granted a Cost Capping Order, limiting the Claimant’s liability to £15,000 should the claim be unsuccessful.

This case raises a number of interesting questions to be considered at the substantive hearing.

Private data

One issue is whether health care data, including non-clinical medical information, amounts to private data protected by Article 8 ECHR. The European Court of Human Rights has held that protecting personal data, including medical data, is of “fundamental importance” to a person’s Article 8 rights (Z v Finland (1998) 25 EHRR 371 at [95]). However, the Defendants argue that names and addresses do not constitute health care data and therefore individuals cannot have a reasonable expectation of privacy in that data for the purposes of Article 8.

The Court of Appeal’s judgment in Re (W) v Secretary of State for Health [2015] EWCA Civ 1034 will be relevant to the Article 8 assessment, as it confirmed that all information provided in the context of the doctor-patient relationship, including non-clinical information, is inherently private (at [34]). There was no breach of Article 8 in that case because individuals were made aware of the fact that their private information may be passed to the Secretary of State. Where, as here, migrants are not made aware of that possibility, there is strong case that they have a reasonable expectation of privacy in their non-clinical information.

Data protection rights

MRN alleges that the MoU breaches Data Protection Principles 1 and 2.

The sharing of information between the Home Office and NHS Digital, which links individuals through their names and addresses to investigations concerning the commission of criminal (immigration) offences, arguably amounts to the processing of sensitive personal data under section 2(g) of the Data Protection Act 1998 (DPA 1998).

Principle 1 requires one of the conditions in Schedule 2 DPA 1998 to be met before personal data can be processed and one of the conditions in Schedule 3 DPA 1998 to be met before sensitive personal data can be processed. Save where consent has been given to the processing, to comply with any of those conditions the processing has to be “necessary” in pursuit of the purpose in the condition. MRN’s case is that, as the MoU contains no requirement that data sharing is “necessary”, it cannot be “fair and lawful” within the meaning of data protection Principle 1.

Principle 2 requires personal data not to be further processed in any manner incompatible with the purpose(s) for which the data was lawfully collected, unless the individual consents. NHS healthcare providers obtain the information for the purpose of providing medical services alone. MRN contends that disclosure to the Home Office amounts to further processing of data. Therefore, given the detrimental effect of the MoU on provision of healthcare, disclosure to the Home Office is incompatible with the purpose for which the data was originally collected.

 

MRN continues to raise funds to meet the £15,000 Cost Cap on its Crowdfunding page.

Emma Foubister is a trainee barrister at Matrix Chambers