A tailored media response

Yesterday, Sara Ryan posted – with understandable fury – information she had obtained via Freedom of Information about monitoring of her blog by Southern Health NHS Trust. It’s difficult to quickly summarise the story of Ryan and her son Connor, but the crucial fact for my comments here is that Ryan writes a compelling blog, which used to be about Connor’s learning difficulties, and which became a heartbreaking and angry chronicle of what she has experienced following Connor’s preventable death in a Southern Health treatment centre.

I don’t have kids and I have no idea what Ryan and her family have gone through so it’s pointless for me to speculate. It seems almost distasteful to find a data protection angle in the story, but nevertheless, the cause of Ryan’s anger this week should echo loudly through all organisations that deal with the public, and especially with their Data Protection officers.

Ryan’s blog reports that last week, the board chair, Simon Waugh, told her that there had been no surveillance of her blogging. This week, she received information from the Clinical Commissioning Group that told another story. A report was written by Trust the day after Connor died. The aim was to “help in shaping a tailored media response to the incident and monitoring of potential media interest in the incident“. Always good to get your priorities right.

It appears from some of the summaries that Ryan published that staff had discussed some of her blog posts with her. The summary states that “Approaches have been made by the staff to speak to the mother about the appropriateness of what she writes and intentions have been that these conversations should happen face to face and no formal response would be taken through social media.” That sentence is so passive and oblique that I am not entirely sure what was said and what conclusion Ryan would reasonably have drawn if there was a proper discussion. Even so, it’s obvious that she was not aware that her blog posts were being read and summarised by the trust’s ‘Communications and Engagement Manager’; her data and that of her son was being processed for the Trust’s purposes without her knowledge.

A cynical person (which I usually am) might say that everything Ryan wrote was in the public domain, that she should have expected that people in the Trust would read it. But they would be wrong. The Information Commissioner’s rather woolly guidance on Personal Information Online makes the unavoidable point that all gathering of personal data must be fair:

“If you collect information from the internet and use it in a way that’s unfair or breaches the other data protection principles, you could still be subject to enforcement action under the DPA even though the information was obtained from a publicly available source.”.

And there’s more: “You should only use their information in a way they are likely to expect and to be comfortable with.”

There’s a debate to be had about whether an organisation is ever entitled to do this kind of thing. Whether you look at the question legally or ethically, I’m not sure what the answer is. Nevertheless, even accounting for the fact that there are crackpots on the internet that an organisation might be tempted to keep an eye on, I cannot agree that the conscious monitoring of Ryan’s words was justified on either ground. That’s not the most crucial point anyway. The point is that it’s unfair for an organisation to do what Southern Health did secretly. Even if they think they can justify doing it, they should have told Ryan that it was happening, clearly and formally. The first Data Protection principle requires that the use of personal data is fair. Whether you consider ‘fair’ in the dictionary sense of the word, or in the specific DP meaning of providing a clear indication to the subject of how their data is being processed, it seems obvious that Southern Trust didn’t do that. Individual staff members might read things on the internet, and discuss them at work; that’s normal and natural. It’s also not what happened in Ryan’s case.

Before the summer, Hackney Council came unstuck when they accidentally revealed themselves as having been profiling their FOI applicants (inevitably, they did so by emailing such a profile to one of their applicants). I’m making the same argument here as I did then, but about a much more serious scenario. Southern Health Trust had an obligation under the Data Protection Act to inform Sara Ryan that they were processing her and her son’s personal data by formally monitoring and analysing her blog, and the purpose of this was (as far as I can see) to protect and manage the Trust’s reputation. That might be an awkward conversation to have, but if explaining the purpose for processing data seems unpalatable, that might indicate something about fairness of the processing overall. There are exemptions to fairness, but I don’t see that any of them apply here.

Sara Ryan and her family have much bigger challenges to deal with than Data Protection, and it’s very, very far from being the focus of the story. Nevertheless, there is nothing in the Data Protection Act that says that the public domain is off-limits. Whatever else, fairness still applies, and organisations have to accept that if they want to monitor what people are saying, they have to be open about it.

Comments

  1. Great overview and the data protection angle is welcome; those of us involved in the #JusticeforLB campaign are committed to sharing learning on every angle of this debacle.

    The other data protection snippet of course is that Southern Health did not disclose this information to Sara Ryan when requested; this was uncovered by a FOI request to the CCG, despite it originating from the Trust and the Trust failing to disclose it now. They’re seemingly writing the book on how not to behave in the face of a preventable death.

    • I didn’t make much of that other point, but it’s well worth drawing out. I cannot see any justification / exemption under the FOI Act that would allow the information to be withheld. The fact that the CCG gave it out is evidence in itself, but if I go through the exemptions in my head, the public interest is disclosure wins out.

  2. Thank you for this very interesting and informative blog. I have a question for you if that’s ok? Would the Data Protection Act as you describe it in your post also apply to health professionals searching out information about their patients online without their knowledge or permission, even if this was not done with mal-intent. The reason I ask is that this has been raised with me a few times. I personally believe it is unethical to search for patients online in all but exceptional circumstances (for example if a patient asks you to look at something they have posted online) but I am now aware of any legal basis for this.

    • Thanks for your comment. I think the first Data Protection principle applies to this situation. Personal data should only be gathered and used fairly, unless one of the (limited) exemptions apply. A health professional searching out information on the internet without their patient’s knowledge would – in my opinion – fall squarely outside the patient’s reasonable expectations. Therefore, I think the health professional would be require by the 1st DP principle to inform the patient that they were going to do it. Without consent, they would then have to satisfy an alternative condition for gathering the data. I wouldn’t say that this was impossible, but it’s still a legitimate question – without my consent, how under the Data Protection Act do you justify doing this? A health professional would have to have a ready answer to the question.

Trackbacks

  1. […] blog, which led to this post from Anne Marie Cunningham about the ethical implications and this one from Tim Turner on the data protection and FOI elements. It is somewhat ironic that after promoting heavily their […]

  2. […] to chill me. I woke in the early hours with sense of horror and deep distress. Glad to read Tim Turner’s thoughts on the data protection issues raised by such this document. Some relief in hearing […]

  3. […] Turner wrote recently about the data protection implications of the monitoring of Sara Ryan’s blog by Southern […]

%d bloggers like this: