Introduction
The Observer revealed that several NHS Trusts have been in breach of the UK GDPR for years without even knowing it.[1] As it turns out, the implicated NHS Trusts have been using the Meta Pixel tool – a part of code inserted into the back-end of the organisations’ websites, which is particularly useful as it provides the organisation with information on the engagement of the website users with the ads available on the website. With the insights gained through the information provided by Meta Pixel, organisations are enabled to adjust the ads to the preferences and needs of a specific user, improving the overall engagement on their website in the long run. Exactly this piece of code lead to the Trusts inadvertently transferring sensitive personal data to Meta without prior consent.
In this article, we will explain why this is a concerning data breach with potentially significant consequences, and highlight the relevant privacy issues. We will present our recommendations to prevent similar, essentially avoidable, data breaches from happening in the future.
Yes, this is a data breach
According to The Observer, the data that has been shared included the viewed pages, clicked buttons and searched keywords, all of which were matched to the user’s IP address and in many cases included details of the user’s Facebook account as well. An IP address is qualified as personal data according to the CJEU.[2] Consequently, the UK GDPR is applicable in this case.
The UK GDPR does not provide for data controllers to be at fault only where they knowingly and willingly breach their data protection responsibilities and obligations. The provisions under the UK GDPR are set in a way which makes it the duty of data controllers to know and be aware of the processing happening within the organisation – it is part of their due diligence. As such, ignorance or a lack of intention is not a defence. Furthermore, even if the reliance on ignorance would have been accepted under the UK GDPR as an excuse for being in breach, the NHS Trusts’ claim to ignorance is questionable, since the concerning issue of Meta receiving sensitive health data through the use of its tracking tools was raised as early as June 2022 in the US,[3] meaning that the NHS Trusts ought to have known about the privacy issues.
Seeing as the users were visiting NHS webpages about HIV, gender identity services, sexual health and cancer, it is clear that the information connected and linked to the respective IP addresses are of a highly sensitive nature. In fact, information such as these are qualified as ‘special category of personal data’ according to Article 9 UK GDPR and merit special protection due to the potential severe adverse effect that they could have on the individual. Furthermore, NHS Trusts serve the purpose of providing goods and services in the realm of health service and patient care (Section 25(1) National Health Service Act 2006). This establishes a close relationship between the Trusts and patients. As a consequence, and because of the vulnerability of the patients, the NHS and its Trusts are set higher standards as there are expectations of them being extra careful when handling patients and their data. Understandably, a data breach such as this one could be seen as a breach of the trust that this special relationship generates, leading to the breach being felt more acutely.
The ICO is investigating this matter and while the ICO has announced its revised approach towards enforcement against public sector entities, stating that fines will be reserved for the most serious cases, it is possible that this situation could warrant the issuing of a fine.[4] This is due to the fact that the transferring of personal data to Meta has been happening for a number of years, potentially affecting millions of people and the highly sensitive nature of the information involved.
The specific privacy issues involved
Data Protection Principles
Under the UK GDPR, data controllers have to process data lawfully, fairly and transparently. The practice in question is in breach of all three data protection principles. As The Observer states, the transferring of data could not be based on consent seeing as the users were not informed and were not given a chance to consent before the transferring happened.[5] Other lawful bases are out of the question, especially the one of legitimate interest as it is highly unlikely that the Trusts could successfully argue that their interests override the interest of the users to keep their sensitive health data private. This makes the processing unlawful.
Part of the principle of fair processing and transparency is the informing of the data subject of what they can expect will be done with their data, specifically requiring that personal data is handled in ways that people would ‘reasonably expect’.[6] As indicated in the exposé of The Observer, the NHS Trusts were not aware of the transferring of personal data and were, therefore, not in the position to inform the data subjects properly of the processing that was happening. It further states that some of the NHS Trusts even promised in their privacy notices to never share user data for marketing purposes. The subsequent transferring of the personal data to Meta is in direct contradiction to those promises. In that sense, the Trusts were neither fair, nor sufficiently transparent with the data subjects and were, in fact, even misleading with their well-intended promises. Therefore, the NHS Trusts were in breach with the principle of fairness and transparency.
International data transfer
Lastly, Meta is located in the US, making the data sharing an international transfer to a country where no adequacy decision exists, since the invalidation of the adequacy decision for the US Privacy Shield in 2020 by the CJEU and with a new adequacy decision for the US Privacy Framework still pending.[7] It is possible that Meta has SCCs incorporated in their agreements with the NHS Trusts.[8] If that is the case, the international transfer might have been possible. However, as previously discussed in our article from the 7th of June 2023, the Irish Data Protection Authority held in its decision that both the old (2010) and the new (2021) SCCs used by Meta do meet the ‘GDPR standard of essential equivalence’.[9] Meta declared it would appeal this decision,[10] however, it can be assumed that until a final decision, the SCCs cannot be relied on as appropriate safeguards.
As a result of not being able to rely on Article 46 UK GDPR, the NHS Trusts would have to rely on a derogation under Article 49 UK GDPR. None of the derogations are applicable in this situation, which is why the international transfer was not allowed under the UK GDPR. .
Recommendations
This revelation highlights how important it is for data controllers to have comprehensive knowledge and overview about the processing actually happening within the organisation. The best way to keep track of the processing is by keeping an Information Asset Register (IAR) and a Record of Processing Activity (RoPA) and ensure that both documents are diligently updated. This practice will ensure that the organisations are aware of the processing at all levels.
Organisations need to be extra careful when introducing new technologies to their business activities and systems, especially if those technologies in any way concern personal data of data subjects. That is why the completion of a Data Protection Impact Assessment (DPIA) is essential. It is the very purpose of a DPIA to help data controllers to identify and minimise data protection risks of a project. While a DPIA is only necessary if the intended processing might result in a high risk to the data subjects, considering that NHS Trusts routinely process sensitive personal data, a DPIA should more often than not be completed when a new processing technology is intended to be introduced. When considering new technologies, NHS Trusts should also consider to consult tech and privacy experts to actually understand the technology and what it does. While this inevitably poses another financial burden on organisations, not approving this expenditure might cost the NHS Trusts something more precious: the relationship of trust between the NHS and its patients.
[1] Shanti Das, ‘NHS Data Breach: Trusts Shared Patient Details with Facebook Without Consent’ (The Observer, 27th May 2023) available <https://www.theguardian.com/society/2023/may/27/nhs-data-breach-trusts-shared-patient-details-with-facebook-meta-without-consent> accessed 1st June 2023.
[2] C-582/14 Patrick Breyer v Bundesrepublik Deutschland [2016] 10 WLUK 420.
[3] Anson Chan, ‘Facebook Is Receiving Sensitive Medical Information from Hospital Websites’ (The Markup, 16th June 2022) available at <https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-from-hospital-websites> accessed 9th of June 2023.
[4] ICO, ‘ICO sets out revised approach to public sector enforcement’ (30th June 2022) available at <https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/06/ico-sets-out-revised-approach-to-public-sector-enforcement/> accessed 9th June 2023.
[5] Shanti Das, ‘NHS Data Breach: Trusts Shared Patient Details with Facebook Without Consent’ (The Observer, 27th May 2023) available <https://www.theguardian.com/society/2023/may/27/nhs-data-breach-trusts-shared-patient-details-with-facebook-meta-without-consent> accessed 1st June 2023.
[6] ICO, ‘Guidance on Principle (a): Lawfulness, fairness and transparency’, available at <https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/the-principles/lawfulness-fairness-and-transparency/> accessed 1st June 2023.
[7] Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems (16th July 2020).
[8] Meta uses Processor-to-Processor SCCs in general, see <https://en-gb.facebook.com/business/help/336550838147603> accessed 20th June 2023.
[9] Caitlin Fennessy and Joe Jones, ‘Ireland DPC’s data transfers decision: Pragmatic punch or knockout blow?’ (IAPP, 22nd May 2023) available at <https://iapp.org/news/a/ireland-dpcs-data-transfers-decision-pragmatic-punch-or-knockout-blow/> accessed 20th June 2023.
[10] Nick Clegg and Jennifer Newstead, ‘Our Response to the Decision on Facebook’s EU-US Data Transfers’ (Meta, 22nd May 2023) accessed 20th June 2023.
