This consultation ends on 15 February 2008

A paper produced by the Data Sharing Review. This information is also available on the Review’s website.

Introduction

On 25 October the Prime Minister asked Richard Thomas, the Information Commissioner, and Dr Mark Walport, Director of the Wellcome Trust, to carry out an independent review of the use and sharing of personal information in the public and private sectors.

This review will consider whether there should be any changes to the way the Data Protection Act 1998 operates and the options for implementing any such changes. It will include recommendations on the powers and sanctions available to the regulator and courts in the legislation governing data sharing and data protection. It will also make recommendations on how data sharing policy should be developed in a way that ensures proper transparency, scrutiny and accountability.

The recommendations will seek to take account of technological advances and strike a balance that ensures appropriate privacy and other safeguards for individuals and society, whilst enabling the sharing of information to protect the public, increasing transparency, enhancing public service delivery and reducing the burden on business.

This paper sets out a series of questions relating to the use of personal information by the public and private sectors. Not all of these questions will be of relevance to all respondents. However, we would be grateful if you could answer those questions that are most relevant to you.

Personal information is shared and used every day by both public authorities and private organisations. The scope and methods of information sharing varies greatly – ranging from an individual piece of personal information being shared once between two public authorities to the regular and wholesale sharing of personal information between two or more databases. Across this spectrum, the key question that arises – in terms of the public good (such as law enforcement, child protection or improved public services) – is what is the rationale for the sharing of personal information that is being sought. This then leads to such questions as whether the personal information being shared is being used for the purpose for which it was collected and not for incompatible purposes, and whether the amount of information being shared (and access to it) is proportionate. The safeguards needed in such situations need to be sufficient to command public trust and confidence. This consultation paper, therefore, seeks views on the scope of personal information sharing – i.e. what personal information is shared – and on the spectrum of information sharing – i.e. in what way is personal information shared.

We would also be grateful for any additional suggestions or observations you may have – from both the public and private sector – that you believe to be relevant to the review. We would welcome case studies of information-sharing initiatives that have been successful in delivering benefits to individuals and to society. We would also welcome frank appraisals of examples where information sharing has either not been successful or has failed to materialise – for example due to funding problems or the legal framework; due to a lack of political, institutional or cultural will; or because of public objections. We would further welcome case studies where problems were encountered in the sharing of personal information or where the sharing of such information generated unacceptable risks.

The consultation is aimed primarily at experts and practitioners in the field of data sharing and data protection in the public and private sectors; government departments and agencies with an interest in data sharing and privacy; the devolved administrations; the European Commission; the general public; and relevant organisations in the UK.

We would be grateful for responses by Friday, 15 February 2008.

QUESTIONNAIRE

This document assumes a working knowledge of the Data Protection Act and other relevant legislation.

Section 1: Background

Question 1

Please explain what your interest in information sharing is. If you have an active involvement in personal information sharing, we would be grateful for the following information:

Section 2: Scope of personal information sharing, including benefits, barriers and risks of data sharing and data protection

Question 2

What in your view are the key benefits of sharing personal information to
a) individuals and b) society? Please provide examples.

Question 3

What in your view are the key risks of sharing personal information to a) individuals and b) society? Please provide examples.

Question 4

As mentioned in the introduction, there are wide variations in the scope and methods of personal information sharing. What scope and what methods, in your view, pose the greatest opportunities or risks? Please explain the reasoning behind your response.

Question 5

Please provide examples of where, in your view, the public authorities hold too much data or not enough personal information, and the reasoning behind your response.

Question 6

Please provide examples of where, in your view, private sector organisations hold too much personal information or not enough personal information, and the reasoning behind your response.

Question 7

Please provide examples of cases where you believe the sharing of personal
information between two or more bodies would be beneficial, but where it is not currently taking place.

Please explain as fully as possible why information is not being shared, detailing what the barriers to the sharing of personal information are – e.g. legal, cultural, inancial, institutional – and how these barriers can be overcome.

Question 8

Please provide examples of cases where you believe that personal information is being shared between two or more bodies, but where this should not be taking place.

Please describe the information-sharing concerned and why you believe it should not be talking place, including the risks involved in such information-sharing.

Section 3: The legal framework

The Data Protection Act (DPA) regulates the processing of information, including its obtaining, holding, use and disclosure. The second principle of the DPA is as follows: “Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.”

Question 9

In your view, how well does the DPA work? Please outline the DPA’s main strengths and weaknesses and any proposals for changes you would like to see made, including suggestions for their implementation.

Question 10

In your view, how well do public authorities and private organisations adhere to the second principle of the DPA? How valuable do you believe the second principle is? Please provide examples and the reasoning behind your response.

Question 11

What technical, institutional or societal barriers stand in the way of the effectiveness of the DPA? Please provide examples.

Question 12

What further powers, safeguards, sanctions or provisions do you believe should be included in the DPA.

Question 13

Are there any other aspects of UK or EU law (such as EU Directive 95/46/EC) that impact positively or negatively on data sharing or data protection? Please provide examples.

Question 14

Are there any statutory powers unavailable that would enable better and more secure sharing of personal information – for example for identity authentication purposes – between a) public authorities and b) public authorities and private organisations? If so, what are they? Please provide examples and any steps you believe could be taken to improve matters.

Question 15

Are there any parts of the legal framework that place an unreasonable burden on business? Please provide examples. Please outline your proposals for streamlining the legislation to ensure that such burdens are minimised.

Section 4: Consent and transparency

Question 16

Is it clear whether and when you need individuals’ consent to share information about them? Are you clear about the form that consent should take? Please provide examples. Please provide details of any initiative you have been involved in that has been based on consent.

Question 17

What, if any, barriers would a requirement for gaining consent create to the sharing of personal information? Please explain your reasoning.

Question 18

Do you have any suggestions on how to make the sharing of information more
transparent? For example, should individuals be given strengthened access rights? And if so, how?

Should organisations be expected to do more to explain their use and sharing of personal information to the public? And if so, how?

Question 19

How can we best ensure that information sharing policy is developed in a way that ensures proper transparency, scrutiny and accountability? For example: In your view, how valuable is the Information Commissioner’s recently published Framework code of practice for sharing personal information. In your view, how valuable are privacy impact assessments along the lines
announced by the Information Commissioner on 11 December?

Section 5: Technology

Question 20

What impact in your view have technological advances had on the sharing and
protection of personal information? Please provide examples.

Question 21

Should the law mandate specific technical safeguards for protecting personal
information? For example, should there be an explicit requirement that all personal information held on portable devices be encrypted to a particular standard?

Question 22

How, in your view, could ‘privacy enhancing techniques’, such as the anonymisation or pseudonymisation of personal information, help safeguard personal privacy, whilst facilitating activities such as performing medical research? Is sufficient advice about the deployment of such techniques available? Are you confident about using them? What are the barriers to using them?

Section 6: International comparisons

Question 23

Are you aware of any jurisdictions whose legal framework for sharing and protecting personal information contains features that could be useful in a UK context? Please provide examples.

Question 24

Do you have any international examples of good practice in the sharing of personal information that could or should be adopted by the UK?

Question 25

Do you have any knowledge of jurisdictions that have adopted a particularly
permissive or restrictive approach to sharing personal information? What have the consequences of this been?

Question 26

Are you aware of significant differences in public attitudes to the sharing of personal information in other countries? Please provide examples and an explanation for why you believe this to be the case.

Section 7: Additional questions

Question 27

Are there any additional issues on the sharing of personal information and protection of personal information that this review should be considering? Do any of these issues apply specifically to your sector?

Question 28

Please set out any additional suggestions or observations you have that you believe will be of assistance to the review.

TO ADD YOUR OWN COMMENT OR VIEW OTHER COMMENTS, CLICK ON THE BLUE BAR. THIS SERVICE IS IN BETA - PLEASE ALSO FEEDBACK ON BUGS AND SUGGESTED FUNCTIONS.

Framework code of practice for sharing personal information

Content

About the Code

Code of practice recommended content:
1. Deciding to share personal information
2. Fairness and transparency3. Information standards
4. Retention of shared information
5. Security of shared information
6. Access to personal information
7. Freedom of Information
8. Review

Appendix 1 –Other relevant guidance from the Information Commissioner.

About the Code:

Why a framework code of practice?

The Information Commissioner’s first statutory duty is to promote the following of good practice in the handling of personal information. ‘Good practice’ means practice that appears to the Commissioner to be desirable, having regard to the interests of individuals and the organisations that process personal information about them. Good practice includes, but is not limited to, compliance with the requirements of the Data Protection Act 1998.

The Commissioner has produced this framework code to help organisations to adopt good practice when sharing information about people. The framework code is intended to be of use to all organisations involved in information sharing. Using the framework code will help organisations to ensure that they address all the main data protection compliance issues that are likely to arise when personal information is being shared. This in turn should help front-line practitioners to make well-informed decisions about sharing personal information.

The benefits of using the framework code of practice

The framework code breaks down compliance with a fairly complex piece of legislation into a series of logical steps. These should be easy for you to follow in practice, even if you’re not a data protection expert. Organisations will face different compliance issues, and may adopt their own approaches to dealing with them. However, using the framework code should help organisations to develop a common understanding and a consistency of approach.

Producing your own code of practice, and using it, will help you to establish good practice an to comply with the law. It will also help you to strike the balance between sharing personal information and protecting the people it’s about. This should engender the trust of the public and ensure that they understand, and participate in, your information sharing initiatives. Following a good quality code of practice will also give your staff the confidence to make well informed decisions, reducing the considerable uncertainty that can surround information sharing.

Ultimately, the following of good practice will make your information sharing more effective and will enhance the reputation of your organisation in the eyes of the people you handle information about.

What do we mean by ‘information sharing’?

There are two main sorts of information sharing. The first involves two or more organisations sharing information between them. This could be done by giving access to each others’ information systems or by setting up a separate shared database. The second involves the sharing of information between the various parts of a single organisation, for example between a local authority’s various departments. The content of the framework code should be relevant to both sorts of information sharing.

The framework code is for use primarily in circumstances where information is being shared on a routine, systematic basis. However in some cases information is shared in a more ad hoc way. For example, a teacher might decide to share information with a social worker because there is concern about a particular child’s welfare. The framework code is not intended for use in circumstances like that, although professionals may still find it useful.

How to use the framework code of practice.

This framework should be used by organisations that want to produce their own codes of practice for sharing information. It says what content a code of practice should have if it is to support good practice in the sharing of personal information. Organisations using the framework code must populate it with their own detailed content, reflecting their own business needs. Where a number of organisations are working collaboratively on an information sharing project, it is important that any codes of practice do not contradict each other or overlap confusingly. In many cases it is best to have a single code of practice that all the organisations involved in the information sharing comply with.

We recognise that different organisations have different needs, depending on the sort of information sharing they’re involved in. Some of the framework’s content won’t be relevant to some organisations. We expect a considerable degree of flexibility in how the framework is used. For example, some organisations will use it to produce a stand-alone document, whilst others may want to integrate some or all of its content into their existing policies and procedures. The content of this document could also be used as a checklist for an organisation to evaluate its existing policies and procedures.

The Information Commissioner will endorse a code of practice based on the framework provided it addresses all its substantive content. For a code to be meaningful it must be adhered to in practice. In order to provide an endorsement we would normally expect an organisation to agree to our auditing compliance with its code.

Drawing up a code and following its recommendations in practice cannot guarantee compliance with the Data Protection Act 1998. However, adherence to a properly drafted code of practice would constitute a significant step to achieving compliance with the Act.

Each part of the framework code begins with a clear statement of what the Act requires. However, some of the content of the framework code goes beyond the strict legal requirements of the law. We have done this as part of our statutory duty to promote good practice in the handling of personal information.

Code of practice recommended content:

1. Deciding to share personal information

The law:

Any information sharing must be necessary. Any information shared must be relevant and not excessive.

Your code of practice should:

1. Set out why you want to share personal information.

2. Provide for a realistic appraisal of the likely effect of the sharing on the people the information is about, and of their likely reaction to it.

3. Describe the information that you need to share to achieve your objective and the organisations that need to be involved.

4. Outline the relevant statutory provisions, if your organisation is legally required, or permitted, to share information or is prevented from doing so.

5. Address any issues that might arise as the result of sharing confidential or sensitive information.

6. Say whether individuals’ consent for information sharing is needed and if so, how to obtain consent and what to do if consent is withheld.

7. Give advice on finding alternatives to using personal information.

Points to remember:

1. Before you start sharing information you should decide and document the objective that it is meant to achieve. Only once you have done this can you address other data protection compliance issues, for example deciding what information is relevant.

2. This process is often termed a ‘privacy impact assessment’. It should assess any benefits that the information sharing might bring to society or individuals. It should also assess any negative effects, such as an erosion of personal privacy, or the likelihood of damage, distress or embarrassment being caused to individuals. It should determine ways to avoid or minimise the unwarranted detrimental effects on individuals.

3. Only relevant information may be shared. Another organisation should not be allowed to have access to all the information you hold. You should work out which information items may be shared and who with. This should be reviewed regularly to prevent the sharing of information that is not relevant to achieving your objective. Where you are sharing information internally, for example within a local authority, the same considerations apply. If only certain departments are involved in providing the service that the information sharingis intended to support, only those departments should have access to the information.

4. Some organisations are required by law to share information for certain purposes, for example as part of a local crime reduction partnership. In such cases you must be clear about what information you are required to share and in what circumstances. If you are unclear about this you should seek legal advice. Other organisations are permitted to share information, for example where this is necessary for a local authority to carry out its functions. In some cases an organisation may be expressly prohibited from sharing the information they hold. Such organisations must be clear about the nature of any such prohibition. Again, if necessary, legal advice about your powers should be obtained.

5. The threshold for sharing confidential or sensitive information is generally higher than for sharing other forms of information. This is because the unnecessary or inappropriate sharing of this sort of information is more likely to cause damage, distress or embarrassment to individuals. Some information is so sensitive, for example that contained in a health record, that in normal circumstances a patient’s explicit consent must be obtained if you want to share or use it for a purpose other than healthcare.

6. Sometimes data protection law only requires that the individual knows about the sharing of information, it is not always necessary to obtain his or her consent for this. However, if you decide that you do need consent, this must be specific, informed and freely given agreement. A failure to object does not constitute consent. Most importantly, the individual must understand what is being consented to and the consequences of giving or withholding consent. If you are relying on consent to share information about a person, you must stop doing so if consent expires or is withdrawn. You must be clear with members of the public about the role that consent plays in your information sharing. In this context, consent is not genuine unless its withdrawal leads to the information sharing being stopped.

7. It is not justified, in data protection terms, to share information that identifies people when anonymised or statistical information could be used. This sort of approach can help to protect personal privacy whilst still allowing organisations to carry out their functions. In some planning contexts, for example, it may only be necessary to use general demographic information about people living in certain areas, rather than identifiable individuals’ names, addresses and dates of birth.

2. Fairness and transparency

The law:

Personal information shall be processed fairly. When you obtain information from a person the
processing won’t be fair unless:
you say who you are, unless this is obvious
you say what purpose the information will be processed for
you provide any other information necessary to enable the processing to be fair.

Your code of practice should:

1. Give guidance on the drafting of ‘fair processing notices’.

2. Advise on ensuring notices are actively provided or, at least, freely available to the people you want to share information about.

3. Ensure that ‘fair processing notices’ give a genuinely informative explanation of how information will be shared and that they are updated when necessary.

4. Provide for ways of dealing with requests for further information and enquiries from members of the public

5. Help to ensure that explanations are given of the circumstances in which information may be shared without the individuals’ knowledge or consent

Points to remember:

1. Fair processing notices, or ‘privacy policies’ as they are sometimes known, are intended to inform the people the information is about how it will be shared and what it will be used for. This means that notices have to be drafted in a way that the people it’s aimed at will understand. Drafting notices for children and others whose level of understanding may be relatively low requires particular care. You should avoid legalistic language and adopt a plain-English, readable approach. Ideally, your code of practice should contain examples of model fair processing notices.

You must decide whether a single fair processing notice is sufficient to inform the public of all the information sharing that your organisation carries out. In some cases it would be good practice to produce a separate fair processing notice for a particular information sharing initiative. This would allow much more detailed and specific fair processing information to be provided. In other cases a more general notice could suffice.

2. A fair processing notice is meaningless unless people can read it and understand it. At least, you should make sure your fair processing notice is readily available. You should try, though, to actively provide fair processing notices to people, for example when you hold meetings with them or send out a letter. You should normally provide ‘fair processing’ information when you first obtain information about a person.

Where you intend to share confidential or particularly sensitive information you should actively communicate your fair processing information.

3. Information sharing arrangements can be quite complicated, with different sorts of information being shared between various agencies. However, you have to give a comprehensive and accurate description of what information is being shared and who it’s being shared with. An information sharing arrangement can change over time, for example where a public body is placed under a new statutory duty to share information to deal with a particular problem. This requires the public body to periodically review its fair processing information to ensure that it still provides an accurate description of the information sharing being carried out.

It can be useful to adopt a ‘layered’ approach to providing fair processing information. This involves having a relatively simple explanation backed up by a more detailed version for people who want a more comprehensive explanation. This can be done fairly easily in online contexts.

4. Sometimes people will have queries about how information about them is being shared, or may object to this. It is good practice for organisations to have systems in place for dealing with enquiries about information sharing in a timely and helpful manner. The analysis of queries and complaints should help you to understand public attitudes to the information sharing you’re carrying out, and to make any necessary improvements.

5. This can only happen in limited circumstances, for example where telling someone about the disclosure of information would lead to a crime going undetected or to an individual suffering harm. However, you should be prepared to be open with the public about the types of circumstance in which information may be disclosed without their knowledge or consent.

3. Information standards

The law:

Information shall be adequate, relevant, not excessive, accurate and up to date.

Your code of practice should contain:

1. Procedures for checking that information is of good enough quality before it is shared.

2. Methods for making sure that shared information is recorded in a compatible format.

3. Methods for checking periodically that shared information is of sufficient quality.

4. Procedures for ensuring that any information that is being shared is relevant and not excessive.

5. Methods for making sure that any problems with personal information, e.g. inaccuracy, are also rectified by all the organisations that have received the information.

Points to remember:

1. It is good practice to check the quality of the information before it is shared, otherwise inaccuracies and other problems will be spread across information systems. In general, any plan to share information should trigger action to ensure that inaccurate records are corrected, irrelevant ones weeded out, out of date ones updated and so forth.

2. Different organisations may record the same information in different ways. For example, a person’s date of birth can be recorded in various formats. This can lead to records being mis-matched or becoming corrupted. Before sharing information you must make sure that the organisations involved have a common way of recording key information, for example by deciding on a standard format for recording people’s names. If a common standard for recording information cannot be established, a robust means of conversion must be deployed.

3. Only once you have a clearly defined objective, for example the delivery of a particular service, can you make an informed decision about the information that is necessary to carry out that objective. You should be able to justify the sharing of each item of information on the grounds that its sharing is necessary to achieve the objective. You must not share information if it is not necessary to do so. It is good practice to periodically review the information sharing and to check that all the information being shared is necessary to achieving your objective. Any unnecessary sharing of information should cease. However, in some contexts it is impossible to determine with certainty whether it is necessary to share a particular piece of information. In such cases, experience and professional judgement must be relied on.

4. It is good practice to check from time to time whether the information being shared is of good enough quality. For example, a sample of records could be looked at to make sure the information contained in them is being kept up to date. It is a good idea to show the records to the people they are about so that the quality of information on them can be checked. Although this may only reveal deficiencies in a particular record, it could indicate wider systemic failure that can then be addressed.

5. The spreading of inaccurate information across a network can cause significant problems for individuals. If you discover that you have shared inaccurate information, you should not only correct your own records but ensure that the information is also corrected by others holding it. You need to have procedures in place for dealing with situations where there are disagreements between organisations about the accuracy of a record. In some cases, the best course of action might be to ask the individual him or herself whether their record is correct.

4. Retention of shared information

The law:

Personal information shall not be kept for longer than is necessary.

Your code of practice should:

1. Specify retention periods for the different types of information you hold, including retention times for the various items held within a record.

2. Provide for the periodic review of retention periods, based on assessment of business need.

3. Set out any legal requirements or professional guidelines relevant to the retention or disposal of the information you hold.

4. Ensure that any out of date information that still needs to be retained is not permanently deleted is safely archived or put ‘offline’.

5. Specify whether information supplied by another organisation should be deleted or returned to its supplier.

6. Provide a mechanism for ensuring that your retention procedures are being adhered to in practice.

Points to remember:

1. Automated systems can be used to delete a specific piece of information after a pre-determined period. Such a facility is particularly useful where a large number of records of the same type are held.
Considerations for judging retention periods include:
the current and future value of the information for the purpose for which it is held
the costs, risks and liabilities associated with retaining the information
the ease or difficulty of ensuring the information remains accurate and up to date.

2. You should review your retention policy in the light of operational experience. If records that are being retained are not being used, this would call into question the need to retain them.

3. For example, there are various legal requirements and professional guidelines relating to the retention of health records.

4. There is a significant difference between permanently, irreversibly deleting a record and merely archiving it. If you merely archive a record or store it ‘offline’ it must still be necessary to hold it and you must be prepared to give subject access to it and hold it in compliance with the data protection principles.

5. The various organisations sharing information should have an agreement about what should happen once the need to share the information has passed. In some cases the best course of action might be to return the shared information to the organisation that supplied it without retaining a copy. In other cases, for example where the particular issue that information sharing was intended to deal with has been resolved, all the organisations involved should delete their copies of the information.

If information you hold should be deleted, for example because it no longer serves a useful purpose or has a statutory retention period that has been exceeded, you must make sure that any organisation that has a copy of the information also deletes it. It might be possible to anonymise the information, in which case it can be retained indefinitely.

6. A good way to do this is to periodically audit the personal information you hold to ensure that information is not being retained for too long or deleted prematurely.

5. Security of shared information

The law:

Personal information shall be protected by appropriate technical and organisational measures.

Your code of practice should:

1. Describe ways of evaluating the level of security that needs to be in place.

2. Set out standards for the technical security arrangements that must be in place to protect shared information.

3. Describe the organisational security arrangements that must be in place to protect shared information.

Points to remember:

1. Your key consideration should be to ensure that your security is adequate in relation to the damage to individuals that a security breach could cause. More sensitive or confidential information therefore needs a higher level of security. However, rather than having different security standards for different pieces of information, it might be easier to adopt a ‘highest common denominator’ approach, i.e. to afford all the information you hold a high level of security. A good approach is for all the organisations involved in information sharing to adopt a common security standard, e.g. ISO17799 or ISO27001.

2. A difficulty that can arise when information is shared is that the various organisations involved can have different standards of security and security cultures. It can be very difficult to establish a common security standard where there are differences in organisations’ IT systems and procedures. Problems of this sort should be addressed before any personal information is shared. It is the responsibility of the organisation providing the information to be shared to ensure that it will continue to be protected by sufficient security once other organisations have access to it.

3. Different organisations may have different cultures of security, and considerations similar to those outlined in the point above apply. Again, it is important that any relative weaknesses in an organisations’ security are rectified, for example by carrying out inter-organisational training, before any personal information is shared between them. Where an organisation employs another organisation to process personal information on its behalf, a contract must be in place to ensure the information remains properly protected.

6. Access to personal information

The law:

Individuals have a right of access to information about them.

Your code of practice should:

1. Set out ways for making sure people can gain access to information about them easily.

2. Provide alternative ways for giving people access to their records.

3. Describe ways of making sure that a person gets access to all the information he or she is entitled to.

4. Give guidance on advising the public about the uses, sources and disclosures of information about them.

5. Provide guidance about relevant exemptions from the right of subject access, i.e. cases where information will be withheld from a person who makes a request for access.

Points to remember:

1. Where information is being shared between a number of organisations it can be difficult for people to work out how to gain access to all the information that’s held about them. It is good practice to provide a single point of contact for people to go to when they want to access their information, and to make people aware of this facility.

2. Organisations are required by law to give people access to information about them. A fee of £10 can be charged and access must be given within 40 calendar days. However, it is good practice to provide faster, cheaper ways for people to gain access to information about them. This could be done by showing people their records when you come into contact with them or by setting up facilities to allow records to be viewed securely online.

3. When personal information is shared between several bodies it can be difficult to determine what information is held. It’s very important, therefore, that organisations sharing information adopt good records management practices, to allow them to locate and provide all the information held about a person in the event of an access request being made.

4. When a request for personal information is made, the organisation is required by law to also describe the purposes for which the information is held and its recipients, i.e. who it is disclosed to. This part of the right of subject access is particularly important in the context of information sharing. You are also required to provide the individual with any information you have as to the information’s source. In some cases information about someone may have been provided by another individual. This might be the case, for example, where a child’s social work file contains information provided by a concerned neighbour. In cases like that, information about the source should normally be withheld.

5. Whether or not an exemption applies depends on the information in question, and in some cases on the effect that releasing the information would have on the individual. However, organisations dealing with a particular type of record are likely to find that they wish to rely on the same exemptions in respect of the access requests they receive. If this is the case, it would be useful to provide detailed advice to staff about how a particular exemption, or exemptions, work. It is good practice to be as open as possible with the public about the circumstances in which you will withhold information from them. In some cases this will not be possible, for example where telling a person that you hold exempt information about them would prejudice the purposes of law-enforcement by ‘tipping off’ an individual that he or she is being investigated.

7. Freedom of Information

The law:

The Freedom of Information Act 2000 gives everyone the right to ask for information held by a public authority, to be told whether the information is held, and, unless exempt, to have a copy of the information.

Your code of practice should:

1. Encourage the inclusion of material about information sharing in your FOI publication scheme.

2. Give advice on providing assistance to members of the public who make requests for a mixture of personal and non-personal information.

Points to remember:

1. Most, if not all, public sector bodies involved in sharing information are covered by the Freedom of Information Act. This means they are required to include various information that they hold in their FOI publication scheme. It is good practice to include the ‘paperwork’ relating to information sharing in the publication scheme, including any relevant code of practice. There is a strong public interest in members of the public being able to find out easily why information is being shared, which organisations are involved and what standards and safeguards are in place.

2. Often people will make requests for information that cover both personal and non-personal information. For example, a person may request information about them that is being shared between various agencies and information about those agencies’ policies for sharing information. Data protection and freedom of information may be dealt with by separate parts of your organisation, and a hybrid request may have to be dealt with under both pieces of legislation. However, it is good practice to be as helpful as possible when dealing with requests of this sort, especially as members of the public may not understand the difference between a data protection and an FOI request.

(This framework code of practice does not contain recommendations about the handling of mainstream freedom of information requests. The Information Commissioner has published comprehensive advice about this elsewhere.)

8. Review

You should keep your information sharing procedures under review, and should update your documentation when necessary. Codes of practice and other documentation can soon become out of date, given the rapid changes that can take place in an organisation’s information sharing practices.

In particular, you should check whether:

1. Your fair processing notices still provide an accurate explanation of your information sharing activity.

2. Your procedures for ensuring the quality of information are being adhered to and are working in practice.

3. Organisations you are sharing information are also meeting agreed quality standards.

4. Retention periods are being adhered to and continue to reflect business need.

5. Security remains adequate and, if not, that any security breaches have been investigated and acted upon.

6. Individuals are being given access to all the information they are entitled to, and that they are finding it easy to exercise their rights.

7. Your FOI publication scheme is being kept up to date.

Appendix 1 – Other relevant guidance

from the Information Commissioner, available at www.ico.gov.uk

Sharing personal information: Our approach. (A general position paper on information sharing.)

The use of personal information held for collecting and administering Council Tax.

Data sharing between different Local Authority departments.

The use and disclosure of information about business people.

The Crime and Disorder Act 1998: data protection implications for information sharing

Sharing information about you. (Gives advice to the public about information sharing.)

If you would like to contact us please call 08456 306060, or 01625 545745
if you would prefer to call a national rate number.
e: mail@ico.gsi.gov.uk
w: www.ico.gov.uk

August 2007

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF

TO ADD YOUR OWN COMMENT OR VIEW OTHER COMMENTS, CLICK ON THE BLUE BAR. THIS SERVICE IS IN BETA - PLEASE ALSO FEEDBACK ON BUGS AND SUGGESTED FUNCTIONS.

Basic information regarding this consultation
To: Anyone interested in how the information Commissioner’s office goes about minimising data protection risk, the long term effectiveness of our office and the bringing about of good practice.
Duration: From 02 July 2007 to 28 September 2007
How to respond: In writing: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow SK9 5AF care of our Customer Support Team.
By email: mail@ico.gsi.gov.uk marking the subject heading ‘Data protection strategy consultation’

Our vision and our purpose

Data protection lives in the real world. It is all about people and what happens to information about them. The collection and use of personal information is essential to the functioning of our modern society. Our vision is of a society where respect for personal information is guaranteed. A society where organisations inspire trust by meeting reasonable expectations of integrity, security and fairness in the collection and use of personal information. A society where individuals understand how their information is used, are aware of their rights and are confident in using them.

Our data protection purpose is to make this vision a reality. At its heart is ensuring, in a responsible and measured way, that the rights and obligations set out in the Data Protection Act 1998, the Privacy and Electronic Communications Regulations 2003 and related legislation are respected. This means that we are primarily concerned with regulating the processing of personal data by the state, by businesses and by other organisations and not with processing by individuals in their purely personal capacity.

However we are not seeking compliance with the law as an end in itself. Making our vision a reality means minimising data protection risk for individuals and society. The law is the main tool we have at our disposal to achieve this, but we go further and promote good practice. Good practice may go beyond simply meeting the requirements of UK law but will always be consistent with the law as well as with the EU Data Protection Directive (95/46/EC) and ultimately with the right to respect for private life enshrined in Article 8 of the European Convention on Human Rights.

This strategy

This data protection strategy sets out how we go about minimising data protection risk. It is concerned with ensuring our maximum long term effectiveness in bringing about good practice. This strategy is aimed at our major stakeholders and spells out the basis on which we select:

This strategy will serve as a reference point for our staff, for all their data protection work. Separate papers deal with the application of this strategy in specific areas such as case handling and the use of our formal powers to take regulatory action.

Our approach

Being a strategic regulator means that, in so far as we have a choice, we have to be selective with our interventions. We will therefore apply our limited resources in ways that deliver the maximum return in terms of a sustained reduction in data protection risk. That is the risk of harm through improper use of personal information.

There are priorities we have to set. We need to focus most attention on situations where there is a real likelihood of serious harm. We also need to focus on situations where our intervention is most likely to make a long term as well as a short term difference. When we intervene we must do so in a way that gives us the best possible return and remember that we will often be at our most effective when working closely with others. We are entitled to have legitimate expectations of those who are in a position to influence data protection risk. Our effectiveness depends on them seeking and welcoming our reasonable interventions. Furthermore we have an important international role. Data protection risk in the UK is increasingly influenced by events worldwide.

Our risk-based approach is in line with good regulatory practice. It does not mean that we seek to remove all data protection risk. We do what we can to moderate the most serious risks and protect those who are most vulnerable to improper use of their information. But we will not try to take away freedom of choice and will remember that individuals themselves ought to be best placed to make decisions about their own interests. Part of our job is to equip individuals with the knowledge and tools to enable them to make their own well-informed decisions about the use and disclosure of their personal information.

Being a strategic regulator also means extending our approach beyond simply improving (through guidance, persuasion and regulatory action) the behaviour of organisations that handle personal information. We also have a legitimate role in influencing the market or political environment in which they operate. Thus we will seek to have long term influence over government and the legislature at Westminster and in the devolved
administrations as well as over representative bodies and other stakeholders, to ensure privacy friendly outcomes.

We will also seek to influence the legal framework that governs our own work to ensure that data protection requirements are simple, meaningful and proportionate and that we have the flexibility and tools to regulate effectively. Building public confidence in data protection is key in our approach. We protect people, not just information. This means we need to engage with the public and explain what we do in a way that they can easily understand and relate to. One of our three ongoing priorities is;

“ Strengthening public confidence in data protection by taking a practical, down to earth approach - simplifying and making it easier for the majority of organisations who seek to handle personal information well, and tougher for the minority who do not ”.

This commitment is at the heart of how we approach our job as data protection regulator and will inform all our data protection tasks including complaints handling and the provision of advice.

Data protection risk

The outcome we are seeking is a minimisation of data protection risk – the risk of harm through improper use of personal information. To set our priorities and provide a reference point for our approach to our regulatory activities we need to be clear what we mean by “harm”.

The principal risk which our activities must address is the risk that individuals will suffer harm because personal information about them is:

Such individual harm can present itself in different ways. Sometimes it will be tangible and quantifiable, for example the loss of a job. At other times it will be less defined, for example damage to personal relationships and social standing arising from disclosure of financial circumstances. Sometimes harm might still be real even if it is intangible, for example the fear of identity theft that comes from knowing that the security of your
financial information has been compromised.

There is also harm which goes beyond the immediate impact on individuals. The harm arising from improper use of personal information may – at least initially – be imperceptible or inconsequential to individuals, but cumulative and substantial in its impact on society. This societal harm might for example arise through the development of a surveillance society.

Societal harm can have multiple causes but improper use of personal information could be a significant factor in:

Setting priorities

We cannot address all areas of data protection risk equally, nor should we attempt to do so. We are spending public money, generated through the notification fee, and must achieve value for money. We are also imposing burdens on businesses and must ensure that the costs of compliance are in proportion to data protection risk. Thus we will set priorities, target our actions where we can and take a measured approach in the lines we
take. We will be open about our priorities so that our stakeholders know where they stand.

Our priorities will be influenced by both the seriousness and likelihood of harm and by the extent to which we can make a difference.

How serious and how likely?

We will make judgements about the seriousness of the risks of individual and societal harm. We will also make judgements about how likely it is that the risk will materialise. We will give priority to tackling situations where there is a real likelihood of serious harm to individuals or society.

The necessary judgements especially about seriousness are not always easy. Loss of privacy can qualify as a harm in its own right, but there are difficult issues of objectivity and subjectivity. Some individuals value their privacy more than others. Our approach will be as objective as possible. It is cast in the following terms:

In judging the seriousness of harm we will look beyond the obvious impact on those who submit complaints to us. We will take account of factors such as;

Can we make a difference?

Judgements are also required about where we can realistically make a difference in reducing the likelihood of harm. We will ask ourselves if our intervention is likely to produce a worthwhile return on the effort we might invest. We will also ask ourselves whether our intervention is key to a successful outcome or whether we can rely on the efforts of others. We will take into account the reasonable expectations of our stakeholders as to where and when we should engage. In doing so we will ask ourselves how closely the issue is related to our core business of ensuring respect for the rights and obligations set out in the law. As before we will ensure that as far as possible our judgements are evidence based. Questions we will ask ourselves include:

We will set priorities but we do not have complete freedom as to how we allocate our resources. We are obliged to consider complaints that are brought to our attention and we must respond positively to those who need our advice. In doing so we must maintain proper standards of customer service. Nevertheless we will do what we can to direct our resources towards situations where there is, or is a likelihood of,
real harm and where our intervention can limit this.

One consequence of our approach is the likelihood that we will need to devote proportionately more of our policy work to developments in the public sector than to developments in the private sector. This is a recognition of where the most serious data protection risks can arise.

How we intervene

We have limited resources and need to use them as efficiently as possible. Whilst dealing with real problems faced by individuals our complaints and advice services will inevitably remain reactive. However we will seek to be influential working where we can to head off data protection risk before it materialises rather than responding to problems as they arise. In particular we will:

Partnerships

We have to work on data protection with other stakeholders, capitalising on their experience, powers, reputation and influence to achieve our purpose. In particular we need to develop our contacts and work with:

Above all we see ourselves as working with those whose rights and liberty we are seeking to protect and enhance. We have a role in educating the public and raising their awareness and competencies but we must understand and respond to their interests and concerns.

Our expectations of others

We have to improve the ways in which we gather and use intelligence and be alert to developments with data protection implications. Nevertheless we still need our stakeholders to tell us, at an early stage, when they embark on developments that carry a significant data protection risk. They should not be afraid to do so. Our role is to help them achieve their objectives in a privacy friendly way not to act as a barrier to sensible progress.

On the other hand we expect our stakeholders to make use of and apply the guidance we produce. It is not good use of our time to respond individually to requests for advice where the necessary advice is available in published form. If our published advice does not meet the needs of our stakeholders we would like them to provide feedback to us. It is also helpful if our stakeholders bring us their thoughts on minimising data protection risk, based on their knowledge of their own fields of business.

We place particular value on developing our relationship with the legislature. We expect the Westminster and devolved administrations to give due prominence to the reduction of data protection risk as a desirable outcome of the legislative process. We want them to use us as a trusted and respected adviser and we expect to be invited to contribute where our involvement can assist this process.

We expect the Government to honour its commitment to pursue the enhancement of privacy alongside its objective of making better use of personal data to deliver improved public services. It is particularly important that we are involved not only at the early stages of policy development which might impact on data protection risk but also at the early stages of development of systems where the processing of personal data is a significant element. We will seek formal commitments from government departments in Whitehall and the devolved administrations to engage with us at those points where we ought to be involved.

We value our contact with civil society and non governmental organisations. They have an important role in drawing our attention to current and potential data protection risk and reflecting the concerns of individuals. We will listen to their claims provided they are supported by evidence and argument.

Our international role

We have an important and developing international role. Not only do we have specific duties related to international cooperation and supervision but we operate in an era of ever-increasing globalisation. Data protection risk is no respecter of international borders. If we are to be effective in reducing risk in the UK we have to be willing to engage with those who determine that risk whether they are based in the UK or elsewhere. This will include EU bodies, inter-governmental organisations, international trade associations and multi-national businesses.

Furthermore if we are to strengthen public confidence in data protection by taking a practical down to earth approach we cannot look at the UK in isolation. We must work with other authorities, particularly those inside the European Union, to improve the image, relevance and effectiveness of data protection worldwide.

Ultimately, simplification for international organisations means one set of data protection standards that are applicable throughout the world. It will not be easy but we have a key role in helping to deliver these. Our experience and size means that we are expected to play a leading part in international data protection affairs. We welcome this but we must bring the same risk based approach to our international data protection work as we do to our domestic activities. This means that we must be selective in taking up the opportunities available at international level and use them to best long term effect.

Where does this take us?

This strategy serves as a reference point for all our data protection work. In so far as we have the freedom to do so, it is particularly valuable in helping us choose the issues on which to engage. Both the issues and their relative priorities will change over time. Nevertheless it is possible to identify some themes which, for the foreseeable future, are likely to remain high on our agenda. These are:

Data protection functions of the Information Commissioner’s Office

This annex explains briefly what the Data Protection Strategy means in practice for some of the data protection functions of the Information Commissioner’s Office.

Educating and influencing

Resolving problems

Enforcement

If you would like to contact us please call 08456 306060, or 01625 545745 if you would prefer to call a national rate number.
e: mail@ico.gsi.gov.uk
w: ico.gov.uk

June 2007
Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF