Matt Hancock is a gift to data protection lawyers. Alongside his service to the ‘entertainment’ industry, he has been a regular source of data protection-related stories during his political career. Remember the Matt Hancock App? A privacy nightmare wanting access to the user’s data, location and even photos. Then there was the leak of the CCTV stills showing Mr Hancock demonstrating how not to do social distancing with his now partner, Gina Coladangelo. 

Ibrahim hasan

Ibrahim Hasan

Last week we learnt that the former health secretary shared more than 100,000 Covid WhatsApp messages with a journalist (Isabel Oakeshott) to help him write his book, Pandemic Diaries: The inside story of Britain’s battle against Covid. Despite signing a non-disclosure agreement, Oakeshott decided it was in the public interest to disclose the messages to The Daily Telegraph. Consequently, we have had daily revelations about the internal discussions of senior politicians and advisers during the Covid pandemic.

The Information Commissioner’s Office (ICO) issued a statement saying, among other things: ‘At this stage we do not see this as a matter for the ICO but there are questions around the conditions on which departing members of government retain and subsequently use official information which need to be considered by organisations such as the Cabinet Office.’

Many have questioned the first part of this statement. On the face of it the General Data Protection Regulation (GDPR) applies in this situation and possible breaches of it merit further consideration by the ICO.

After all, there is personal data in the Hancock messages. At the very least they identify government employees and politicians expressing their views; some would say private views. They may also include sensitive government data; maybe even more photos and videos! Questions also need to be asked about Hancock’s retention of the data after his role as health secretary ended in spectacular fashion and disclosure of the messages to Oakeshott to write his book, both of which potentially breach the GDPR principles.

The ICO may well change their stance as the drip-drip of revelations continues. Regardless, all organisations should heed some valuable lessons from this saga. All leavers (be they employees, politicians or office holders) pose a data protection risk. As soon as they make their intentions known, an audit of personal data they hold and where they hold it should be undertaken.  Upon leaving (or maybe even a few days before) all access to personal data systems should be withdrawn.

Leavers should also be reminded of section 170(1) of the Data Protection Act 2018 (DPA 2018) which makes it a criminal offence for a person to knowingly or recklessly:

(a) obtain or disclose personal data without the consent of the controller;

(b) procure the disclosure of personal data to another person without the consent of the controller; or

(c) after obtaining personal data, retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.

Section 170 is similar to the offence under section 55 of the old Data Protection Act 1998 which was often used to prosecute employees who had accessed healthcare and financial records without a legitimate reason. Two recent prosecutions highlight the willingness of the ICO to use section 170 to make examples of individuals who seek to access/steal data from their employers for personal gain.

In January, Asif Iqbal Khan pleaded guilty to stealing data of accident victims while working as a customer solutions specialist for the RAC. Over a single month in 2019, the RAC had received 21 complaints from suspicious drivers who received calls from claims management companies following accidents in which the RAC had assisted.

A review of individuals that had accessed these claims found that Khan was the only employee to access all 21. An internal investigation later reported suspicious behaviour from Khan including taking photos of his computer screen with his phone. A search warrant, executed by the ICO, seized two phones from Khan and a customer receipt for £12,000. The phones contained photos of data relating to over 100 road accidents.

Khan appeared at Dudley Magistrates’ Court in January 2023 where he pleaded guilty to two counts of stealing data in breach of section 170 of the DPA 2018. He was fined £5,000 and ordered to pay a victim surcharge as well as court costs.

This is the second recent prosecution under section 170. In August last year, Christopher O’Brien, a former health adviser at the South Warwickshire NHS Foundation Trust, pleaded guilty to accessing medical records of patients without a valid legal reason.

An ICO investigation found that he unlawfully accessed the records of 14 patients, who were known personally to him, between June and December 2019. One of the victims said the breach left them worried and anxious about O’Brien having access to their health records, with another victim saying it deterred them from going to their doctor. O’Brien was ordered to pay £250 compensation to 12 patients, totalling £3,000.

Coming back to the Hancock messages, there is certainly a case for the ICO to investigate two possible offences under section 170(1) of the DPA 2018, namely disclosing personal data without the consent of the controller and retaining it without the consent of the controller. Several defences would be available to Hancock, including a public interest defence.

The Department of Health and Social Care may also have breached article 32 of GDPR which requires Data Controllers to implement ‘appropriate technical and organisational measures to ensure a level of security appropriate to the risk’. Did they authorise Hancock to retain the messages and then pass them to Oakeshott? Did they even know that this had happened? Maybe the answer will be in Pandemic Diaries!

 

Ibrahim Hasan is a solicitor and director of Act Now Training