The European Commission are planning legislation to encourage a Single Market in online delivery of copyright works. They are canvassing opinions as part of a public consultation on DRM, multi-territory rights licensing and piracy. We will draft a submission by the end of February. Please help us by commenting on the questions below.

Please note that we have reproduced the annex (questions) of the European Commission’s consultation on ‘Creative Content Online in the Single Market’. If you want more context on their proposal then have a read of the launch page (click to see) or download the 10 page document (click to download)

Digital Rights Management

1) Do you agree that fostering the adoption of interoperable DRM systems should support the development of online creative content services in the Internal Market? What are the main obstacles to fully interoperable DRM systems? Which commendable practices do you identify as regards DRM interoperability?

2) Do you agree that consumer information with regard to interoperability and personal data protection features of DRM systems should be improved? What could be, in your opinion, the most appropriate means and procedures to improve consumers’
information in respect of DRM systems? Which commendable practices would you identify as regards labelling of digital products and services?

3) Do you agree that reducing the complexity and enhancing the legibility of end-user licence agreements (EULAs) would support the development of online creative content services in the Internal Market? Which recommendable practices do you identify as regards EULAs? Do you identify any particular issue related to EULAs that needs to be addressed?

4) Do you agree that alternative dispute resolution mechanisms in relation to the application and administration of DRM systems would enhance consumers’ confidence in new products and services? Which commendable practices do you identify in that respect?

5) Do you agree that ensuring a non-discriminatory access (for instance for SMEs) to DRM solutions is needed to preserve and foster competition on the market for digital content distribution?

Multi-territory rights licensing

6) Do you agree that the issue of multi-territory rights licensing must be addressed by means of a Recommendation of the European Parliament and the Council?

7) What is in your view the most efficient way of fostering multi-territory rights licensing in the area of audiovisual works? Do you agree that a model of online licences based on the distinction between a primary and a secondary multi-territory market can facilitate EU-wide or multi-territory licensing for the creative content you deal with?

8) Do you agree that business models based on the idea of selling less of more, as illustrated by the so-called “Long tail” theory, benefit from multi-territory rights licences for back-catalogue works (for instance works more than two years old)?

Legal offers and piracy

9) How can increased, effective stakeholder cooperation improve respect of copyright in the online environment?

10) Do you consider the Memorandum of Understanding, recently adopted in France, as an example to followed?

11) Do you consider that applying filtering measures would be an effective way to prevent online copyright infringements?

This consultation is intended to bring greater flexibility to the UK copyright regime by strengthening existing and introducing some entirely new exceptions.

The point of copyright law is to engineer a market in creative expressions and in doing so the law tries to balance the competing interests of creators, publishers and the general public. In this mechanism, exceptions to monopoly rights protect a range of socially-important activities, such as education or reportage. They operate as a kind of safety valve.

We have not reproduced the entire consultation document because its 106 pages long. Instead, extracted below is the more-manageable Executive Summary, which outlines the consultation’s concerns. The Open Rights Group submission will concentrate on the ‘format shifting’ and ‘parody’ exceptions but you’re invited to leave comments on any aspect of the consultation. Scroll down to read and comment on the questions, or click here to get the full document.

EXECUTIVE SUMMARY

1. The Gowers Review of Intellectual Property (“the Gowers Review”) reported in December 2006. The Government announced, as part of the December Pre Budget Report, its intention to take forward the recommendations made to it.

2. A number of the recommendations from the Gowers Review suggest changes to copyright exceptions or the introduction of new exceptions. These changes concerning educational use, libraries and archives, format shifting and parody, are intended to provide more balance and flexibility in the intellectual property (“IP”) system by enabling consumers to use copyright material in ways that do not damage the interests of rights holders. They are also designed to provide clarity concerning the extent of the exceptions in the face of changing technologies.

3. This consultation considers how the Gowers recommendations on exceptions to copyright might be implemented in the UK. A number of options are set out in this paper and your views are sought on the specific questions contained in each chapter and on the issues generally.

Educational Exceptions

4. Two changes to the educational exceptions are proposed. The first is to amend section 35 of the Copyright, Designs and Patents Act 1988 (“CDPA”) which currently allows the recording and showing of broadcasts to students physically present at an educational establishment. The expanded section would allow distance learning students to receive and view these recordings remotely. The consultation paper considers the following issues:

5. The second proposed change is to section 36 of the CDPA which allows educational establishments to copy (usually by photocopier) passages from published works and provide hand outs to students. It is proposed that educational establishments be able to communicate such passages using interactive whiteboards and electronically to distance learners. This proposed change raises the following issues:

Format Shifting

6. It is proposed to create a new exception that would allow consumers to make a copy of a work they legally own, so that they can make the work accessible in another format for playback on a device in their lawful possession. The exception would only apply to personal or private use. The owner would not be permitted to sell, loan or give away the copy or share it more widely (for example in a file sharing system or on the internet). Multiple copying would not be allowed. The development of this exception raises the following questions:

Research and Private Study

7. A number of policy issues are identified in response to the recommendation that the exception for research should be expanded to cover all forms of content, not just literary, artistic, dramatic and musical works:

Libraries and Archives

8. Section 42 of the CDPA currently allows prescribed libraries or archives to make a copy of a literary, dramatic or musical work held in their permanent collection for the purpose of preservation and replacement. It is proposed that the exception be expanded to also allow copies of sound recordings, films and broadcasts to be made. It is further proposed that these prescribed bodies be able to format shift to address the problem that occurs where works are held on unstable media, and that more than a single copy be permitted where successive copying may be required to preserve permanent collections in an accessible format. This proposal raises a number of issues:

Parody

9. The paper considers whether a new exception for parody should be introduced. A fair dealing style exception is proposed. The following issues arise:

General

10. In relation to each of the proposed or expanded exceptions:

NOTES TO USERS

It is most helpful if you direct your comments specifically to the consultation’s questions, although we also welcome more general comments.

Introduction

This paper sets out for consultation proposals for increasing (subject to further consultation) the types of public organisations from which the public can access information. The consultation is aimed at:

(Did not include standard formalities re stakeholders - which does not include ORG - and observing consultations code of practice criteria)

The proposals

1. The Freedom of Information Act 2000 (the Act) came into force on 1 January 2005. The Act makes provision for the disclosure of information held by public authorities. This contributes to the Government’s aim to strengthen the connection between citizens and the state. The Act aims to enable greater transparency, accountability and engagement, for example by providing more information about how taxpayers’ money is spent or by providing the context for better informed public debate.

2. The Act applies to over 100,000 public authorities. These include central government departments, local authorities, schools, colleges and universities, the health service, the police and a range of other public authorities. Those to which the Act applies are required to have a publication scheme, which sets out what information they routinely make available and how, and to answer requests for information in a timely manner. There are three categories to which the Act applies:

The Act terms these persons or organisations ‘public authorities’. This paper uses the term ‘public authority’ to mean a person or an organisation covered by the Act. In the rest of the paper we discuss the coverage of organisations; however individuals who hold a specific office, for example the Auditor General for Wales, can also be covered in the same way.

3. There are clearly defined criteria for an organisation to be listed in Schedule 1 to the Act. Broadly speaking:

Organisations that meet these criteria are periodically brought within the scope of the Act by orders made under section 4. If a company is wholly-owned by a public authority, then it is automatically covered by the Act.

4. No organisation has yet been designated by the Secretary of State for Justice as a public authority for the purposes of the Act (the third category in paragraph 2).

5. The experience of the first years of FOI suggests that the Act is working well and has been successfully implemented across more than 100,000 public authorities. Now is the time to review the coverage of the Act, based on this experience, although the Government recognises that this experience may not directly translate to the private and voluntary sectors.

6. Section 5 of the Act enables the Secretary of State to designate two types of person or organisations as public authorities: those which:

The Secretary of State makes a designation by making what is called a section 5 order. Section 5 is a residual category: that is, a section 5 order cannot cover any organisation that could be listed in Schedule 1 to the Act by the making of a section 4 order, or is already covered by virtue of being wholly-owned by a public authority.

7. Section 7 of the Act requires that any section 5 order must state the functions or services provided under contract for which an organisation is designated. The Act will not apply to any other information held and therefore will not necessarily cover all the work carried out by an organisation. There will be some organisations all of whose functions could be designated under section 5 because they perform only functions of a public nature. In other cases the application of section 5 will be more limited.

8. It is possible in some situations for a section 5 order to designate a class of organisations rather than listing individual organisations. For example, it might be considered appropriate to designate as a class those contracted to run prisons under Part IV of the Criminal Justice Act 1991, rather than listing each individual contractor. This would help reduce the number of orders needed and ensure greater consistency of coverage.

9. The Secretary of State must consult with each organisation, or with representative organisations, before designation can take place. In addition, Impact Assessments would have to be carried out before designating any private bodies.

10. Once this consultation period is completed, the responses will be analysed and policy proposals formulated. In accordance with the Act, representatives of the relevant organisations will then be consulted further. Depending on the responses to the consultations, the Government would hope that any initial section 5 order could be brought into effect by the end of the next Parliamentary session.

Part 1: The case for reviewing coverage of the Act

11. The Government believes that there are good reasons for reviewing coverage of the Act:

12. The Government also believes that in considering how and when to extend coverage of the Act, a balance needs to be struck to ensure that the advantages of openness are considered alongside the potential impact on organisations to be covered. It will need to take account of reasons against extending coverage of the Act to at least some of the organisations to which section 5 could potentially apply. In particular:

13. The Government considers it important to balance the potential benefits of increased information access against the impact on the delivery of public services, on businesses and on the voluntary and community sector. Any decisions on section 5 orders will need to be made on a case-by-case basis in the context of the overall policy objectives. The potential impact would be discussed in the required consultation with the suggested organisations or their representatives and analysed in an Impact Assessment.

14. In considering whether to extend the application of the Act to organisations with functions of a public nature or to public service contractors, the Government has considered a number of alternatives to using section 5 orders to increase information access. The options considered for the use of section 5 orders and for alternatives are set out below, with some of the considerations needing to be taken into account.

Option 1: take no action at this time. If no changes were made to the scope of the Act, the statutory right of access to information would continue to be limited to information held by those public authorities currently covered by the Act. There would be no new rights of access to information from other organisations providing public services under contract or which have functions of a public nature. As noted above, some such organisations are significantly involved in delivering public services but are under no general obligation to provide information about these activities. This may be thought anomalous and inconsistent with the objectives underlying freedom of information.

Option 2: self-regulation by relevant organisations. Organisations that meet the conditions of section 5 of the Act would be encouraged to provide information about their public activities on a voluntary basis instead of being required by a section 5 order to make information available in accordance with the Act. One possibility would be to draw up a Code of Practice for private organisations that are providing public services. If such a code could be agreed and generally observed, this might provide the benefits of increased access to information while minimising disruption and regulation of private organisations. The key questions that would need to be addressed are how far and how consistently organisations could be expected to abide by any non-statutory guidance and whether any sanctions could be brought to bear on organisations that failed to do so. Anecdotal evidence suggests that while some such organisations are already choosing to make information available, others are unwilling to do so.

Option 3: build information access obligations into contracts with organisations delivering public services. This would provide for some form of information access in relation to services provided under contract, but would not be an option in relation to organisations exercising functions of a public nature in their own right, rather than under contract. Information could be supplied either directly from the contractor or by requiring the contractor to send information to the public authority that would then be accessible from them under the Act. This is likely to be less burdensome to the contractor than being designated as a public authority. Standard clauses could be produced to include conditions and exemptions similar to those found in the Act. These could be adapted to meet the individual needs of the organisation providing the service. However, there would then be the risk of inconsistency in the level of information access from different contractors. That risk would be exacerbated if it were decided to introduce such obligations only into new
contracts (since reviewing all contracts already held by public authorities would be time consuming and costly). We would need to consider whether such contracts should be enforceable not just by the public authority, but also by members of the public seeking access to information. Another
disadvantage of this option would be that enforcement would take place ultimately through civil claims for breach of contract, rather than the enforcement machinery contained in the Act.

Option 4: introduce a single section 5 order covering a specified set of organisations. This option would increase public access to information from specific organisations that provide public services while leaving others outside the ambit of FOI. It would allow for FOI coverage to be extended only to those organisations in respect of which the government was satisfied that the benefits of information access outweighed any negative impacts. Possible criteria for identifying the most appropriate organisations to be covered by any section 5 orders are discussed in more detail in Parts 2 and 3 of this paper. It would of course be feasible to introduce further section 5 orders in future, but under this Option there would be no specific expectation on the Government to do so in the short term.

Option 5: introduce a series of section 5 orders so as progressively to widen coverage of the Act over time. This option would provide for progressive extension of the coverage of
FOI. Designation of new public authorities could be implemented in waves by means of successive section 5 orders. Organisations could be brought within the ambit of the FOIA in order of priority; this would also allow for evaluation of the benefits of each order before any new order was made.
Rigorous impact assessment would be needed to ensure that the benefits of access to the information held by any organisation or class of organisations outweighed any negative impact, for example on their ability to work effectively.

Q1: Do you support extending the coverage of the FOI Act to organisations that carry out functions of a public nature and to contractors who provide services to a public authority whose provision is a function of that public authority?

Q2: Of the five proposed options, which do you consider the best option? Or would some other option, or combination of options, be preferable? Please explain your reasoning.

Q3: Should some form of public funding be essential in order for an organisation to be considered for inclusion in a section 5 order, or should this be just one of a number of relevant factors to be considered?

Q4: Are there any organisations or categories of organisations that do not receive public funding but that you believe should be covered by the Act? Please explain why.

Q5: Do you agree that the balance between the public interest and the potential burden of FOI is an appropriate consideration when deciding whether to cover an organisation?

Q6: To what extent do you think that the factors listed, or any other factors, should be taken into account in determining whether organisations performing public functions should be brought within the ambit of the Act?

Q7: Do you agree that the coverage of FOI should extend to contractors who provide services under contract with a public authority whose provision is a function of that authority? If you disagree, please give your reasons.

Q8: Do you agree that information relating to an organisation’s administration of a public service or function, for example in the areas listed in paragraph 33, should be subject to FOI? If not, please give your reasons.

Q9: Which organisations, or types of organisations, do you believe should be considered for inclusion in any extension of FOI under s.5 of the Act, and why?

TO ADD YOUR OWN COMMENT OR VIEW OTHER COMMENTS, CLICK ON THE BLUE BAR. THIS SERVICE IS IN BETA - PLEASE ALSO FEEDBACK ON BUGS AND SUGGESTED FUNCTIONS.

Launch Date 9 October 2007. Respond by 30 November 2007

The Byron Review is an independent review of the risks to children from exposure to potentially harmful or inappropriate material on the internet and in video games. This consultation calls for evidence from all groups and individuals. The Byron Review is an independent review supported by officials from the Department for Children, Schools and Families and the Department for Culture Media and Sport.

Skip to:

Further details are available at: www.dcsf.gov.uk/byronreview

The review will conclude with a report to the Secretaries of State at the end of March 2008. Dr Tanya Byron will be supported by a team of officials from the Departments for Children Schools and Families and Culture, Media and Sport.

This call for evidence has been launched to gather information and advice from the widest possible range of people involved with the issues of the review. It is open to any interested person. Responses will be received and considered directly by the Review team and should not assume knowledge of any prior positions established in correspondence with the Departments. Details on how to submit your responses and views can be found later in this document. The Review will also be launching targeted consultation activity on these issues for children and young people.

2 Introduction

2.1 Children and young people are at the heart of this review. Video games and the internet are an established part of most children and young people’s lives, providing huge benefits and opportunities but also presenting potential risks. The Review’s starting point is that risks are a reality of life and that it is important that children and young people learn to understand, assess and manage risks as part of growing up. Nevertheless, some levels of risk may simply be unacceptable and the Review will explore how we can promote shared responsibility for the safety and wellbeing of children and young people.

Play and exploration are essential to healthy child development and positive childhood experiences, and rapidly changing technologies mean new and exciting play and learning opportunities are now available to our children. To make sure that playing video games is healthy, happy and fun, we need to check that games are suitable for the children who play them. This Review will look at video games in all their forms: hard copy, download and played online.

The Review will also be looking more widely at material and experiences available to children on the internet. The internet is a global community that is expanding at a phenomenal and exhilarating pace and with ever-changing ways of accessing it, including through new mobile technologies. Like the front door of a house, the internet is a portal to the community beyond. And while going online can offer children many new and positive experiences, they need to be prepared for what they might find on the web and helped to enjoy it and benefit from it safely. Just as we show our children how to use the local shop by walking the route with them, teaching them how to cross the road and how to spot potential danger, so we need to show them how to find their way safely and confidently around the internet. But we also need to feel confident that this virtual community has its own system of rules, safety checks and local people who care about protecting our children just as much as we hope those outside our front door do.

Throughout the review process we will seek to balance the value of qualitative and quantitative evidence with the views and experiences of all those who are affected by the issues under consideration. Everyone can contribute and the Review team has no doubt that strong opinions will be expressed alongside facts and evidence. The views, attitudes and beliefs we will hear have a significant role to play in our assessment and analysis because of the crucial role they will play shaping the social and cultural context of our work and recommendations.

Key questions for the review are:

What are the benefits and opportunities that new technologies offer for children, young people, their families, society and the economy?

What are the potential or actual risks to children’s safety and wellbeing of going online and playing video games and how do children, young people and parents feel about those risks?

To what extent do children, young people and parents understand and manage those risks and how can they be supported to do so?

What, if anything, could be changed in order to help children, young people and parents manage the potential or actual risks of going online or playing video games, and what are the pros and cons of different approaches?

Over the course of the Review the team will consider views gathered from a wide range of stakeholders: parents, children and young people (0-18); those involved in the welfare, education and safety of children; the academic and research community; the video gaming industry; gamers; the internet industry (producers, content aggregators, web hosts, internet service providers, search and navigation providers, consumer device manufacturers and retailers and the representative bodies of these groups); advertising and retail bodies; government agencies; other statutory and non-statutory public bodies and third sector organisations.

This Review will consider all potentially harmful or inappropriate material that children and young people might access or experience online or in video games. The Review will not tackle the existence of illegal content or activity online given that there is legislation and enforcement activity in place to address this – for example: online grooming of children, the creation and distribution of abusive images of children, under-age online gambling or content that incites racial or religious hatred. Nevertheless, the recommendations of the Review will no doubt be relevant to protecting children and young people from such illegal content and activity, because the primary objective of the Review is to help children, young people and parents understand, assess and manage the potential risks of going online and playing video games. The Review will also need to take into account the emergence of new ways of accessing the internet and video games such as mobile technology to ensure that the analysis and recommendations remain relevant in the future.

This Review will not cover television content as there is already extensive statutory regulation in this area, but the team welcomes any contributions on this or other areas where there may be lessons, examples or comparative approaches which would deepen our understanding of the issues.

We welcome all feedback and opinions and would encourage any person with views relating to this review to participate. Respondents do not need to answer all of the questions. This call for evidence closes at 5pm on Friday 30 November. In addition to this call for evidence, the Review will also be launching targeted consultation activities for children and young people.

You can respond on-line or in writing (to DCSF, Area 1A, Castleview House, Runcorn, Cheshire, WA7 2GJ) or by email.

5 - Additional Copies

Additional copies are available electronically and can be downloaded

6 - Plans for making results public

This consultation will be used as evidence for the review, and will be published at the end of March 2008, on the DCSF website.

TO ADD YOUR OWN COMMENT OR VIEW OTHER COMMENTS, CLICK ON THE BLUE BAR. THIS SERVICE IS IN BETA - PLEASE ALSO FEEDBACK ON BUGS AND SUGGESTED FUNCTIONS.

Framework code of practice for sharing personal information

Content

About the Code

Code of practice recommended content:
1. Deciding to share personal information
2. Fairness and transparency3. Information standards
4. Retention of shared information
5. Security of shared information
6. Access to personal information
7. Freedom of Information
8. Review

Appendix 1 –Other relevant guidance from the Information Commissioner.

About the Code:

Why a framework code of practice?

The Information Commissioner’s first statutory duty is to promote the following of good practice in the handling of personal information. ‘Good practice’ means practice that appears to the Commissioner to be desirable, having regard to the interests of individuals and the organisations that process personal information about them. Good practice includes, but is not limited to, compliance with the requirements of the Data Protection Act 1998.

The Commissioner has produced this framework code to help organisations to adopt good practice when sharing information about people. The framework code is intended to be of use to all organisations involved in information sharing. Using the framework code will help organisations to ensure that they address all the main data protection compliance issues that are likely to arise when personal information is being shared. This in turn should help front-line practitioners to make well-informed decisions about sharing personal information.

The benefits of using the framework code of practice

The framework code breaks down compliance with a fairly complex piece of legislation into a series of logical steps. These should be easy for you to follow in practice, even if you’re not a data protection expert. Organisations will face different compliance issues, and may adopt their own approaches to dealing with them. However, using the framework code should help organisations to develop a common understanding and a consistency of approach.

Producing your own code of practice, and using it, will help you to establish good practice an to comply with the law. It will also help you to strike the balance between sharing personal information and protecting the people it’s about. This should engender the trust of the public and ensure that they understand, and participate in, your information sharing initiatives. Following a good quality code of practice will also give your staff the confidence to make well informed decisions, reducing the considerable uncertainty that can surround information sharing.

Ultimately, the following of good practice will make your information sharing more effective and will enhance the reputation of your organisation in the eyes of the people you handle information about.

What do we mean by ‘information sharing’?

There are two main sorts of information sharing. The first involves two or more organisations sharing information between them. This could be done by giving access to each others’ information systems or by setting up a separate shared database. The second involves the sharing of information between the various parts of a single organisation, for example between a local authority’s various departments. The content of the framework code should be relevant to both sorts of information sharing.

The framework code is for use primarily in circumstances where information is being shared on a routine, systematic basis. However in some cases information is shared in a more ad hoc way. For example, a teacher might decide to share information with a social worker because there is concern about a particular child’s welfare. The framework code is not intended for use in circumstances like that, although professionals may still find it useful.

How to use the framework code of practice.

This framework should be used by organisations that want to produce their own codes of practice for sharing information. It says what content a code of practice should have if it is to support good practice in the sharing of personal information. Organisations using the framework code must populate it with their own detailed content, reflecting their own business needs. Where a number of organisations are working collaboratively on an information sharing project, it is important that any codes of practice do not contradict each other or overlap confusingly. In many cases it is best to have a single code of practice that all the organisations involved in the information sharing comply with.

We recognise that different organisations have different needs, depending on the sort of information sharing they’re involved in. Some of the framework’s content won’t be relevant to some organisations. We expect a considerable degree of flexibility in how the framework is used. For example, some organisations will use it to produce a stand-alone document, whilst others may want to integrate some or all of its content into their existing policies and procedures. The content of this document could also be used as a checklist for an organisation to evaluate its existing policies and procedures.

The Information Commissioner will endorse a code of practice based on the framework provided it addresses all its substantive content. For a code to be meaningful it must be adhered to in practice. In order to provide an endorsement we would normally expect an organisation to agree to our auditing compliance with its code.

Drawing up a code and following its recommendations in practice cannot guarantee compliance with the Data Protection Act 1998. However, adherence to a properly drafted code of practice would constitute a significant step to achieving compliance with the Act.

Each part of the framework code begins with a clear statement of what the Act requires. However, some of the content of the framework code goes beyond the strict legal requirements of the law. We have done this as part of our statutory duty to promote good practice in the handling of personal information.

Code of practice recommended content:

1. Deciding to share personal information

The law:

Any information sharing must be necessary. Any information shared must be relevant and not excessive.

Your code of practice should:

1. Set out why you want to share personal information.

2. Provide for a realistic appraisal of the likely effect of the sharing on the people the information is about, and of their likely reaction to it.

3. Describe the information that you need to share to achieve your objective and the organisations that need to be involved.

4. Outline the relevant statutory provisions, if your organisation is legally required, or permitted, to share information or is prevented from doing so.

5. Address any issues that might arise as the result of sharing confidential or sensitive information.

6. Say whether individuals’ consent for information sharing is needed and if so, how to obtain consent and what to do if consent is withheld.

7. Give advice on finding alternatives to using personal information.

Points to remember:

1. Before you start sharing information you should decide and document the objective that it is meant to achieve. Only once you have done this can you address other data protection compliance issues, for example deciding what information is relevant.

2. This process is often termed a ‘privacy impact assessment’. It should assess any benefits that the information sharing might bring to society or individuals. It should also assess any negative effects, such as an erosion of personal privacy, or the likelihood of damage, distress or embarrassment being caused to individuals. It should determine ways to avoid or minimise the unwarranted detrimental effects on individuals.

3. Only relevant information may be shared. Another organisation should not be allowed to have access to all the information you hold. You should work out which information items may be shared and who with. This should be reviewed regularly to prevent the sharing of information that is not relevant to achieving your objective. Where you are sharing information internally, for example within a local authority, the same considerations apply. If only certain departments are involved in providing the service that the information sharingis intended to support, only those departments should have access to the information.

4. Some organisations are required by law to share information for certain purposes, for example as part of a local crime reduction partnership. In such cases you must be clear about what information you are required to share and in what circumstances. If you are unclear about this you should seek legal advice. Other organisations are permitted to share information, for example where this is necessary for a local authority to carry out its functions. In some cases an organisation may be expressly prohibited from sharing the information they hold. Such organisations must be clear about the nature of any such prohibition. Again, if necessary, legal advice about your powers should be obtained.

5. The threshold for sharing confidential or sensitive information is generally higher than for sharing other forms of information. This is because the unnecessary or inappropriate sharing of this sort of information is more likely to cause damage, distress or embarrassment to individuals. Some information is so sensitive, for example that contained in a health record, that in normal circumstances a patient’s explicit consent must be obtained if you want to share or use it for a purpose other than healthcare.

6. Sometimes data protection law only requires that the individual knows about the sharing of information, it is not always necessary to obtain his or her consent for this. However, if you decide that you do need consent, this must be specific, informed and freely given agreement. A failure to object does not constitute consent. Most importantly, the individual must understand what is being consented to and the consequences of giving or withholding consent. If you are relying on consent to share information about a person, you must stop doing so if consent expires or is withdrawn. You must be clear with members of the public about the role that consent plays in your information sharing. In this context, consent is not genuine unless its withdrawal leads to the information sharing being stopped.

7. It is not justified, in data protection terms, to share information that identifies people when anonymised or statistical information could be used. This sort of approach can help to protect personal privacy whilst still allowing organisations to carry out their functions. In some planning contexts, for example, it may only be necessary to use general demographic information about people living in certain areas, rather than identifiable individuals’ names, addresses and dates of birth.

2. Fairness and transparency

The law:

Personal information shall be processed fairly. When you obtain information from a person the
processing won’t be fair unless:
you say who you are, unless this is obvious
you say what purpose the information will be processed for
you provide any other information necessary to enable the processing to be fair.

Your code of practice should:

1. Give guidance on the drafting of ‘fair processing notices’.

2. Advise on ensuring notices are actively provided or, at least, freely available to the people you want to share information about.

3. Ensure that ‘fair processing notices’ give a genuinely informative explanation of how information will be shared and that they are updated when necessary.

4. Provide for ways of dealing with requests for further information and enquiries from members of the public

5. Help to ensure that explanations are given of the circumstances in which information may be shared without the individuals’ knowledge or consent

Points to remember:

1. Fair processing notices, or ‘privacy policies’ as they are sometimes known, are intended to inform the people the information is about how it will be shared and what it will be used for. This means that notices have to be drafted in a way that the people it’s aimed at will understand. Drafting notices for children and others whose level of understanding may be relatively low requires particular care. You should avoid legalistic language and adopt a plain-English, readable approach. Ideally, your code of practice should contain examples of model fair processing notices.

You must decide whether a single fair processing notice is sufficient to inform the public of all the information sharing that your organisation carries out. In some cases it would be good practice to produce a separate fair processing notice for a particular information sharing initiative. This would allow much more detailed and specific fair processing information to be provided. In other cases a more general notice could suffice.

2. A fair processing notice is meaningless unless people can read it and understand it. At least, you should make sure your fair processing notice is readily available. You should try, though, to actively provide fair processing notices to people, for example when you hold meetings with them or send out a letter. You should normally provide ‘fair processing’ information when you first obtain information about a person.

Where you intend to share confidential or particularly sensitive information you should actively communicate your fair processing information.

3. Information sharing arrangements can be quite complicated, with different sorts of information being shared between various agencies. However, you have to give a comprehensive and accurate description of what information is being shared and who it’s being shared with. An information sharing arrangement can change over time, for example where a public body is placed under a new statutory duty to share information to deal with a particular problem. This requires the public body to periodically review its fair processing information to ensure that it still provides an accurate description of the information sharing being carried out.

It can be useful to adopt a ‘layered’ approach to providing fair processing information. This involves having a relatively simple explanation backed up by a more detailed version for people who want a more comprehensive explanation. This can be done fairly easily in online contexts.

4. Sometimes people will have queries about how information about them is being shared, or may object to this. It is good practice for organisations to have systems in place for dealing with enquiries about information sharing in a timely and helpful manner. The analysis of queries and complaints should help you to understand public attitudes to the information sharing you’re carrying out, and to make any necessary improvements.

5. This can only happen in limited circumstances, for example where telling someone about the disclosure of information would lead to a crime going undetected or to an individual suffering harm. However, you should be prepared to be open with the public about the types of circumstance in which information may be disclosed without their knowledge or consent.

3. Information standards

The law:

Information shall be adequate, relevant, not excessive, accurate and up to date.

Your code of practice should contain:

1. Procedures for checking that information is of good enough quality before it is shared.

2. Methods for making sure that shared information is recorded in a compatible format.

3. Methods for checking periodically that shared information is of sufficient quality.

4. Procedures for ensuring that any information that is being shared is relevant and not excessive.

5. Methods for making sure that any problems with personal information, e.g. inaccuracy, are also rectified by all the organisations that have received the information.

Points to remember:

1. It is good practice to check the quality of the information before it is shared, otherwise inaccuracies and other problems will be spread across information systems. In general, any plan to share information should trigger action to ensure that inaccurate records are corrected, irrelevant ones weeded out, out of date ones updated and so forth.

2. Different organisations may record the same information in different ways. For example, a person’s date of birth can be recorded in various formats. This can lead to records being mis-matched or becoming corrupted. Before sharing information you must make sure that the organisations involved have a common way of recording key information, for example by deciding on a standard format for recording people’s names. If a common standard for recording information cannot be established, a robust means of conversion must be deployed.

3. Only once you have a clearly defined objective, for example the delivery of a particular service, can you make an informed decision about the information that is necessary to carry out that objective. You should be able to justify the sharing of each item of information on the grounds that its sharing is necessary to achieve the objective. You must not share information if it is not necessary to do so. It is good practice to periodically review the information sharing and to check that all the information being shared is necessary to achieving your objective. Any unnecessary sharing of information should cease. However, in some contexts it is impossible to determine with certainty whether it is necessary to share a particular piece of information. In such cases, experience and professional judgement must be relied on.

4. It is good practice to check from time to time whether the information being shared is of good enough quality. For example, a sample of records could be looked at to make sure the information contained in them is being kept up to date. It is a good idea to show the records to the people they are about so that the quality of information on them can be checked. Although this may only reveal deficiencies in a particular record, it could indicate wider systemic failure that can then be addressed.

5. The spreading of inaccurate information across a network can cause significant problems for individuals. If you discover that you have shared inaccurate information, you should not only correct your own records but ensure that the information is also corrected by others holding it. You need to have procedures in place for dealing with situations where there are disagreements between organisations about the accuracy of a record. In some cases, the best course of action might be to ask the individual him or herself whether their record is correct.

4. Retention of shared information

The law:

Personal information shall not be kept for longer than is necessary.

Your code of practice should:

1. Specify retention periods for the different types of information you hold, including retention times for the various items held within a record.

2. Provide for the periodic review of retention periods, based on assessment of business need.

3. Set out any legal requirements or professional guidelines relevant to the retention or disposal of the information you hold.

4. Ensure that any out of date information that still needs to be retained is not permanently deleted is safely archived or put ‘offline’.

5. Specify whether information supplied by another organisation should be deleted or returned to its supplier.

6. Provide a mechanism for ensuring that your retention procedures are being adhered to in practice.

Points to remember:

1. Automated systems can be used to delete a specific piece of information after a pre-determined period. Such a facility is particularly useful where a large number of records of the same type are held.
Considerations for judging retention periods include:
the current and future value of the information for the purpose for which it is held
the costs, risks and liabilities associated with retaining the information
the ease or difficulty of ensuring the information remains accurate and up to date.

2. You should review your retention policy in the light of operational experience. If records that are being retained are not being used, this would call into question the need to retain them.

3. For example, there are various legal requirements and professional guidelines relating to the retention of health records.

4. There is a significant difference between permanently, irreversibly deleting a record and merely archiving it. If you merely archive a record or store it ‘offline’ it must still be necessary to hold it and you must be prepared to give subject access to it and hold it in compliance with the data protection principles.

5. The various organisations sharing information should have an agreement about what should happen once the need to share the information has passed. In some cases the best course of action might be to return the shared information to the organisation that supplied it without retaining a copy. In other cases, for example where the particular issue that information sharing was intended to deal with has been resolved, all the organisations involved should delete their copies of the information.

If information you hold should be deleted, for example because it no longer serves a useful purpose or has a statutory retention period that has been exceeded, you must make sure that any organisation that has a copy of the information also deletes it. It might be possible to anonymise the information, in which case it can be retained indefinitely.

6. A good way to do this is to periodically audit the personal information you hold to ensure that information is not being retained for too long or deleted prematurely.

5. Security of shared information

The law:

Personal information shall be protected by appropriate technical and organisational measures.

Your code of practice should:

1. Describe ways of evaluating the level of security that needs to be in place.

2. Set out standards for the technical security arrangements that must be in place to protect shared information.

3. Describe the organisational security arrangements that must be in place to protect shared information.

Points to remember:

1. Your key consideration should be to ensure that your security is adequate in relation to the damage to individuals that a security breach could cause. More sensitive or confidential information therefore needs a higher level of security. However, rather than having different security standards for different pieces of information, it might be easier to adopt a ‘highest common denominator’ approach, i.e. to afford all the information you hold a high level of security. A good approach is for all the organisations involved in information sharing to adopt a common security standard, e.g. ISO17799 or ISO27001.

2. A difficulty that can arise when information is shared is that the various organisations involved can have different standards of security and security cultures. It can be very difficult to establish a common security standard where there are differences in organisations’ IT systems and procedures. Problems of this sort should be addressed before any personal information is shared. It is the responsibility of the organisation providing the information to be shared to ensure that it will continue to be protected by sufficient security once other organisations have access to it.

3. Different organisations may have different cultures of security, and considerations similar to those outlined in the point above apply. Again, it is important that any relative weaknesses in an organisations’ security are rectified, for example by carrying out inter-organisational training, before any personal information is shared between them. Where an organisation employs another organisation to process personal information on its behalf, a contract must be in place to ensure the information remains properly protected.

6. Access to personal information

The law:

Individuals have a right of access to information about them.

Your code of practice should: