Yesterday, Sara Ryan posted – with understandable fury – information she had obtained via Freedom of Information about monitoring of her blog by Southern Health NHS Trust. It’s difficult to quickly summarise the story of Ryan and her son Connor, but the crucial fact for my comments here is that Ryan writes a compelling blog, which used to be about Connor’s learning difficulties, and which became a heartbreaking and angry chronicle of what she has experienced following Connor’s preventable death in a Southern Health treatment centre.
I don’t have kids and I have no idea what Ryan and her family have gone through so it’s pointless for me to speculate. It seems almost distasteful to find a data protection angle in the story, but nevertheless, the cause of Ryan’s anger this week should echo loudly through all organisations that deal with the public, and especially with their Data Protection officers.
Ryan’s blog reports that last week, the board chair, Simon Waugh, told her that there had been no surveillance of her blogging. This week, she received information from the Clinical Commissioning Group that told another story. A report was written by Trust the day after Connor died. The aim was to “help in shaping a tailored media response to the incident and monitoring of potential media interest in the incident“. Always good to get your priorities right.
It appears from some of the summaries that Ryan published that staff had discussed some of her blog posts with her. The summary states that “Approaches have been made by the staff to speak to the mother about the appropriateness of what she writes and intentions have been that these conversations should happen face to face and no formal response would be taken through social media.” That sentence is so passive and oblique that I am not entirely sure what was said and what conclusion Ryan would reasonably have drawn if there was a proper discussion. Even so, it’s obvious that she was not aware that her blog posts were being read and summarised by the trust’s ‘Communications and Engagement Manager’; her data and that of her son was being processed for the Trust’s purposes without her knowledge.
A cynical person (which I usually am) might say that everything Ryan wrote was in the public domain, that she should have expected that people in the Trust would read it. But they would be wrong. The Information Commissioner’s rather woolly guidance on Personal Information Online makes the unavoidable point that all gathering of personal data must be fair:
“If you collect information from the internet and use it in a way that’s unfair or breaches the other data protection principles, you could still be subject to enforcement action under the DPA even though the information was obtained from a publicly available source.”.
And there’s more: “You should only use their information in a way they are likely to expect and to be comfortable with.”
There’s a debate to be had about whether an organisation is ever entitled to do this kind of thing. Whether you look at the question legally or ethically, I’m not sure what the answer is. Nevertheless, even accounting for the fact that there are crackpots on the internet that an organisation might be tempted to keep an eye on, I cannot agree that the conscious monitoring of Ryan’s words was justified on either ground. That’s not the most crucial point anyway. The point is that it’s unfair for an organisation to do what Southern Health did secretly. Even if they think they can justify doing it, they should have told Ryan that it was happening, clearly and formally. The first Data Protection principle requires that the use of personal data is fair. Whether you consider ‘fair’ in the dictionary sense of the word, or in the specific DP meaning of providing a clear indication to the subject of how their data is being processed, it seems obvious that Southern Trust didn’t do that. Individual staff members might read things on the internet, and discuss them at work; that’s normal and natural. It’s also not what happened in Ryan’s case.
Before the summer, Hackney Council came unstuck when they accidentally revealed themselves as having been profiling their FOI applicants (inevitably, they did so by emailing such a profile to one of their applicants). I’m making the same argument here as I did then, but about a much more serious scenario. Southern Health Trust had an obligation under the Data Protection Act to inform Sara Ryan that they were processing her and her son’s personal data by formally monitoring and analysing her blog, and the purpose of this was (as far as I can see) to protect and manage the Trust’s reputation. That might be an awkward conversation to have, but if explaining the purpose for processing data seems unpalatable, that might indicate something about fairness of the processing overall. There are exemptions to fairness, but I don’t see that any of them apply here.
Sara Ryan and her family have much bigger challenges to deal with than Data Protection, and it’s very, very far from being the focus of the story. Nevertheless, there is nothing in the Data Protection Act that says that the public domain is off-limits. Whatever else, fairness still applies, and organisations have to accept that if they want to monitor what people are saying, they have to be open about it.