Fair use/Specified purpose and the IBTS
I am a blood donor. I am proud of it. I have provided quite a lot of sensitive personal data to the IBTS over the years that I’ve been donating.
The specific purposes for which I believed I was providing the information was to allow the IBTS to administer communications with me as a donor (so I know when clinics are on so I can donate), to allow the IBTS to identify me and track my donation patterns, and to alert IBTS staff to any reasons why I cannot donate on a given occasion (donated too recently in the past, I’ve had an illness etc.). I accepted as implied purposes the use of my information for internal reporting and statistical purposes.
I did not provide the information for the purposes of testing software developed by a 3rd party, particularly when that party is in a foreign country.
The IBTS does not collect any personal data about you on this website apart from information which you volunteer (for example by emailing us or by using our on line contact forms). Any information which you provide in this way is not made available to any third parties, and is used by the IBTS only for the purpose for which you provided it.
In the IBTS’s Donor Charter, they assure potential Donors that:
The IBTS guarantees that all personal information about donors is kept in the strictest confidence
Hmm… so no provision here for production data to be used in testing. Quite the contrary.
However, it gets even better… in the Donor Information Leaflet on the IBTS’s website, in the Data Protection section (scroll down… it’s right at the bottom), current and potential donors the IBTS tells us that (emphasis is mine throughout):
The IBTS holds donor details, donation details and test results on a secure computerised database. This database is used by the IBTS to communicate with donors and to record their donation details, including all blood sample test results. It is also used for the proper and necessary administration of the IBTS. All the information held is treated with the strictest confidence.
This information may also be used for research in order to improve our knowledge about the blood donor population, and for clinical audit, to assess and improve the quality of our service. Wherever possible, all such information will be anonymised.
Right.. so from their policy and their statement of fair use and specified purposes we learn that:
- They can use it for communication with donors and for tracking donation details and results of tests (as expected)
- They can use it for necessary administration. Which covers internal reporting but, I would argue, not giving it to other organisations to lose on their behalf.
- They can use it for research about the blood donor population, auditing clinical practices. This is OK… and expected.
- They are also permitted to use the data to “improve the quality of [their] service”. That might cover the use of the data for testing…
Until you read that last bit… the data would be anonymised whenever possible. That basically means the creation of dummy data as described towards the end of my last post on this topic.
So, the IBTS did not specify at any time that they would use the information I had provided to them for the purposes of software development by 3rd parties. It did specify a purpose for using the information for the improvement of service quality. But only if it was anonymised.
Section 2 of the Data Protection Act says that data can only be used by a Data Controller for the specific purposes for which it has been gathered. As the use of un-anonymised personal data for the purposes of software development by agencies based outside of the EU (or in the EU for that matter) was not a specified use, the IBTS is, at this point, in breach of the Data Protection Act. If the data had been anonymised (ie if ‘fictional’ test data had been used or if the identifying elements of the personal data had been muddled up before being transferred) there would likely be no issue.
- Firstly, the data would have been provided in a manner consistent with the specified use of the data
- Secondly, there would have been no risk to personal data security as the data on the stolen laptop would not have related to an identifiable person in the real world.
Of course, that would have cost a few euros to do so it was probable de-scoped from the project.
If I get a letter and my data was not anonymised I’ll be raising a specific complaint under Section 2 of the Data Protection Act. If the data was not anonymised (regardless of the security precautions applied) then the IBTS is in breach of their specified purposes for the collection of the data and are in breach of the Data Protection Act.
Billy Hawkes, if you are reading this I’ve just saved your team 3 weeks work.