s [ Pobierz całość w formacie PDF ]

fall on those who acquire, possess, use or disclose medical data for
each of these and for other purposes, as well as distinguishing and
arguing for the variety of second-order obligations that can help
assure that these first-order obligations are properly met. Only if we
can set out the demands of these informational obligations will we
have a basis for arbitrating disagreements about the proper config-
uration of rights to informational privacy. Here, as elsewhere, treat-
ing rights as independent of, or prior to, obligations may lead only to
uncertainty and indeterminacy.6
DATA PROTECTI ON LEGI SLATI ON: SECOND- ORDER
I NFORMATI ONAL OBLI GATI ONS
Accounts of informational privacy set out certain first-order obliga-
tions that bear on the use of information, including the use of
information about persons. Both content-based and agency-based
approaches to informational obligations often reinforce these first-
order informational obligations by instituting or imposing second-
order obligations to observe, report on and enforce aspects of
6
See Onora O Neill,  The Dark Side of Human Rights , International Affairs, 81, 2
(2005), 427 39.
112 Rethinking Informed Consent in Bioethics
informational privacy. Regulation of personal information has been a
focus of complex legislation in many jurisdictions in recent years.
There are many reasons for this intense legislative and regulative
activity. Typically new measures have been introduced to counter
possibly adverse effects of new information technologies, by regu-
lating their use and by enforcing that regulation.7
Our focus in this section will be very specifically on the second-
order control of information enacted in the UK Data Protection Act
1998 (DPA 98), which aims to regulate uses of specific types of
information.8 This legislation assumes and builds on a view of
informational privacy as a matter of rights over  personal informa-
tion: its starting point is a content-based rather than an agency-based
account of privacy and personal information.
The Act assigns individual consent a large, indeed pivotal, role in
controlling the lawful acquisition, possession and use of  personal
information.9 Individual consent is seen as a way of waiving others
obligations, thereby rendering lawful what would otherwise be imper-
missible  data processing . The Act assigns a wide variety of complex
first- and second-order obligations to those who acquire, obtain, hold
or use information of the relevant types.10 Supposedly these obligations
7
For example, see Colin J. Bennett, Regulating Privacy: Data Protection and Public
Policy in Europe and the United States (Ithaca, NY: Cornell University Press, 1992).
8
The text of the Act can be found at http://www.hmso.gov.uk/acts/acts1998/
19980029.htm.
9
Schedules 2, 3 and 4 to DPA 98 specify certain conditions, at least one of which
must be met for the legitimate processing of personal data and sensitive personal
data. In each Schedule the subject s consent is listed first, followed by a number of
other conditions that can exceptionally make processing of personal data lawful
without consent. The Act also grants the Secretary of State certain powers to
exempt specific uses of personal and sensitive information from data protection
provisions.
10
By  informational obligation in this context we mean both (a) obligations that
pertain to the acquisition, storage and use of information; and (b) obligations to
engage in, or to ensure that one is in a position to engage in, certain kinds of
communicative (or informative) acts. We shall also refer to the European Data
Protection Directive (Directive 95/46/EC of the European Parliament and of the
Council of 24 October 1995. On the protection of individuals with regard to the
processing of personal data and on the free movement of such data).
Informational privacy and data protection 113
are correlative to each data subject s rights over  personal information
or data held about her.11 In the Act personal data are defined as:12
. . . data which relate to a living individual who can be identified (a) from those
data, or (b) from those data and other information which is in the possession
of, or is likely to come into the possession of, the data controller.
What are we to make of the idea of data relating to a living
individual? Wearing a strictly-minded philosopher s hat (though we
recognise that this is not the right attire for legal interpretation), we
might point out that unless we are told what the relation in question is,
we are at a loss. After all, any bit of data relates to any arbitrary individual
in some way or other (all it takes is a little patience and ingenuity  and a
lack of a decent social life  to come up with examples). But data
11
(1) The right of subject access. DPA 98 allows individuals to find out what
information is held about themselves on computer and some paper records.
This is known as the right of subject access.
(2) The right of rectification, blocking, erasure and destruction. DPA 98 allows
individuals to apply to the court to order a data controller to rectify, block, [ Pobierz całość w formacie PDF ]