Balancing privacy and data sharing

In his recently published Annual Report for 2005-06, the Information Commissioner Richard Thomas states: “simultaneously protecting privacy and promoting openness – an apparent challenge for a regulator – is one I can reconcile without difficulty”. In a document “Information Sharing to Improve Services for Children”, his office continues to maintain that the “Data Protection Act [1998; “DPA” here] does not stop information sharing where appropriate”.

The Commissioner and his office (the ICO) make such statements in spite of an increasing number of e-government initiatives designed to promote data sharing within the public sector, and ultimately to improve public services and make economic savings. But whilst pushing the boundaries of progress, both the UK Government and the Scottish Parliament must ensure that they do not lose sight of their objectives and find themselves on the wrong side of data protection principles.

Lack of understanding

The high profile cases featured in the panel clearly indicate that a better understanding of statutory data retention obligations and privacy laws is needed before any further government initiatives are introduced to encourage data sharing. Certainly, we should be encouraged by the number of courses now available to IT managers and information/data protection officers in this regard. But have public authorities resolved their concerns with regard to data sharing, in light of a better understanding of the DPA? Or does the apparent complexity of the Act continue to bamboozle information officers and potentially inhibit the improved delivery of public services?

The Information Commissioner stated in his report that he does “not want data protection to be wrongly blamed for preventing sensible information sharing, for example to detect crime, protect children at risk or prevent fraud”; but admits that “there is too much uncertainty and misunderstanding within the public sector about what can or cannot be done”. Is this an admission that little progress has been made in this area since the last annual report?

The Commissioner’s comments appear to suggest as much. He does, however, acknowledge that recently introduced e-government initiatives designed to improve public services have demonstrated that information can be shared in an acceptable way, citing the example of the highly successful online car tax renewal initiative.

Steps forward

Indeed, a number of steps have been taken over the last couple of years to encourage information sharing between public sector departments. In June this year the Scottish Executive published a discussion document, “Transforming Public Services: The Next Phase of Reform”, which aims to encourage debate on the use of technology in improving public services in Scotland. In particular, it cites the successful example of the eCare Programme, an electronic data sharing system which allows health boards, local authorities and voluntary agencies to share information on clients, subject to their consent. So successful has the programme been, that the Executive is considering similar schemes for other public sector agencies.

Such schemes have been introduced locally throughout the UK. In London, an online information sharing service (“NOTIFY”) has been introduced to improve access to services for those housed in temporary accommodation across 33 London boroughs. The scheme is founded on a data sharing and security agreement, which restricts the information for viewing on a “need to know” basis. Similarly, a number of primary care trusts have introduced electronic health records which allow information to be shared between disciplines, and enable patients to receive medical advice without having to attend their doctor’s practice. On a wider scale, the Disclosure Scotland scheme and the Criminal Records Bureau, both provided for by statute, enable employers to assess whether individuals are suitable to work with children. But because all these schemes operate in isolation, the problem remains that there is no comprehensive overview of e-government in Scotland or the UK. It is therefore difficult to ensure that e-government is fully integrated and operating efficiently, which ultimately causes problems in compliance with data protection and privacy issues generally.

The UK Department of Health considered the advantages of data sharing in its report “Making a Difference: Safe and Secure Data Sharing Between Health and Adult Social Care Staff”, published in March. The report states that the provision of a “world class” health service relies heavily on effective data sharing by both health and social care staff. It also concedes that much work needs to be done to ensure public confidence in this network, and that there continues to be confusion among practitioners as to what information can and cannot be shared under the DPA. In this regard, there is a need to develop practical approaches for those working in the social services sector and health authorities.

The most ambitious

Nevertheless, the government continues to press on with its programme to improve services through technology – and not just in the field of health and social services. In early July it announced what has been heralded as “the mother of all projects”: “Transformational Government: Enabled by Technology”. This strategy aims to improve all public services by the use of technology, including the National Health Service, the criminal justice system and the education system. It is hoped that the strategy will bring major efficiencies to the public service sector and ultimately benefit its end users, the general public.

The Information Commissioner’s response (available at www.ico.gov.uk) has been lukewarm. He cautions that information sharing strategies should “proceed on the basis of well justified need rather than available technological capacity”. At the very least, the new systems should abide by the eight data protection principles of the DPA. Perhaps more importantly, given that the public is already very much aware of the threat to their data from criminals, hackers and terrorists, the proposals must also inspire public confidence. To encourage transparency, the Commissioner recommends that certain data protection and privacy safeguards should be built into new technology systems at the earliest opportunity. Formal “privacy impact assessments” should be carried out to assess whether the data sharing technologies proposed are proportionate to the ultimate aims of the strategy. Where possible, data sharing systems should be based on privacy-enhancing technologies. The ICO should participate in consultations as to which service areas should be involved in the scheme, and how they should be transformed. Greater data sharing will necessarily mean greater risk of misuse of information by staff in service industries: the Commissioner recommends that the offence provisions under DPA should be revised to include a custodial sentence, as a deterrent to “information blagging”.

Continuing concerns

It cannot be ignored that authorities continue to be concerned as to what information they can share, and many simply do not seem to feel comfortable using the Government Connect’s basket of services as they are uncertain how this can be reconciled with the requirements of the DPA and the protection of privacy. At the heart of the problem lies the fact that each public authority is ultimately responsible for its own decisions. When faced with any proposed data sharing scheme, it must consider: has the proposed scheme been sanctioned by some form of statutory or common law power? Does it comply with the Human Rights Act and article 8 of the European Convention? Does it breach the common law obligation of confidentiality and, of course, is it compliant with the Data Protection Act?  If the public authority concludes that it does not have the necessary vires then the data sharing cannot take place – regardless of the potential improvement in the provision of services.

So, are local and public authorities simply bereft of comprehensive guidance on data sharing? In response to a question in the House of Commons earlier this year, as to whether she could list the documents her department had published on data sharing between public sector organisations since 2001, Minister of State Harriet Harman stated that the Department for Constitutional Affairs (DCA) had published legal guidance on data sharing in November 2003, along with a public sector toolkit, and that the public service guarantee was published in October 2004. Since then our government has introduced several major technology projects, each raising complex data protection questions. The time has arrived to review the status of the DCA guidance in light of the considerable IT advances and the concerns that accompany them.

On 13 September the DCA issued its “Information Sharing Vision Statement”. The paper outlines the government’s commitment to information sharing throughout the public sector, while recognising the need to work with the ICO “to ensure that personal information is kept safe and secure, and in compliance with the Data Protection Act”. The DCA encourages the use of the Commissioner’s codes of practice and cites the successful use of the Code of Data Matching Practice 2006 by the National Fraud Initiative. The statement also acknowledges that the ICO “is developing guidelines against which information sharing proposals involving personal data may be assessed, and a framework Code of Practice which will help public sector organisations ensure that their sharing of personal information respects personal privacy”. Finally it appears that the government understands the importance of working hand in hand with the ICO. Watch this space, as they say!

Valerie Surgenor is an associate with MacRoberts, Glasgow