This consultation ends on 15 February 2008

A paper produced by the Data Sharing Review. This information is also available on the Review’s website.

Introduction

On 25 October the Prime Minister asked Richard Thomas, the Information Commissioner, and Dr Mark Walport, Director of the Wellcome Trust, to carry out an independent review of the use and sharing of personal information in the public and private sectors.

This review will consider whether there should be any changes to the way the Data Protection Act 1998 operates and the options for implementing any such changes. It will include recommendations on the powers and sanctions available to the regulator and courts in the legislation governing data sharing and data protection. It will also make recommendations on how data sharing policy should be developed in a way that ensures proper transparency, scrutiny and accountability.

The recommendations will seek to take account of technological advances and strike a balance that ensures appropriate privacy and other safeguards for individuals and society, whilst enabling the sharing of information to protect the public, increasing transparency, enhancing public service delivery and reducing the burden on business.

This paper sets out a series of questions relating to the use of personal information by the public and private sectors. Not all of these questions will be of relevance to all respondents. However, we would be grateful if you could answer those questions that are most relevant to you.

Personal information is shared and used every day by both public authorities and private organisations. The scope and methods of information sharing varies greatly – ranging from an individual piece of personal information being shared once between two public authorities to the regular and wholesale sharing of personal information between two or more databases. Across this spectrum, the key question that arises – in terms of the public good (such as law enforcement, child protection or improved public services) – is what is the rationale for the sharing of personal information that is being sought. This then leads to such questions as whether the personal information being shared is being used for the purpose for which it was collected and not for incompatible purposes, and whether the amount of information being shared (and access to it) is proportionate. The safeguards needed in such situations need to be sufficient to command public trust and confidence. This consultation paper, therefore, seeks views on the scope of personal information sharing – i.e. what personal information is shared – and on the spectrum of information sharing – i.e. in what way is personal information shared.

We would also be grateful for any additional suggestions or observations you may have – from both the public and private sector – that you believe to be relevant to the review. We would welcome case studies of information-sharing initiatives that have been successful in delivering benefits to individuals and to society. We would also welcome frank appraisals of examples where information sharing has either not been successful or has failed to materialise – for example due to funding problems or the legal framework; due to a lack of political, institutional or cultural will; or because of public objections. We would further welcome case studies where problems were encountered in the sharing of personal information or where the sharing of such information generated unacceptable risks.

The consultation is aimed primarily at experts and practitioners in the field of data sharing and data protection in the public and private sectors; government departments and agencies with an interest in data sharing and privacy; the devolved administrations; the European Commission; the general public; and relevant organisations in the UK.

We would be grateful for responses by Friday, 15 February 2008.

QUESTIONNAIRE

This document assumes a working knowledge of the Data Protection Act and other relevant legislation.

Section 1: Background

Question 1

Please explain what your interest in information sharing is. If you have an active involvement in personal information sharing, we would be grateful for the following information:

Section 2: Scope of personal information sharing, including benefits, barriers and risks of data sharing and data protection

Question 2

What in your view are the key benefits of sharing personal information to
a) individuals and b) society? Please provide examples.

Question 3

What in your view are the key risks of sharing personal information to a) individuals and b) society? Please provide examples.

Question 4

As mentioned in the introduction, there are wide variations in the scope and methods of personal information sharing. What scope and what methods, in your view, pose the greatest opportunities or risks? Please explain the reasoning behind your response.

Question 5

Please provide examples of where, in your view, the public authorities hold too much data or not enough personal information, and the reasoning behind your response.

Question 6

Please provide examples of where, in your view, private sector organisations hold too much personal information or not enough personal information, and the reasoning behind your response.

Question 7

Please provide examples of cases where you believe the sharing of personal
information between two or more bodies would be beneficial, but where it is not currently taking place.

Please explain as fully as possible why information is not being shared, detailing what the barriers to the sharing of personal information are – e.g. legal, cultural, inancial, institutional – and how these barriers can be overcome.

Question 8

Please provide examples of cases where you believe that personal information is being shared between two or more bodies, but where this should not be taking place.

Please describe the information-sharing concerned and why you believe it should not be talking place, including the risks involved in such information-sharing.

Section 3: The legal framework

The Data Protection Act (DPA) regulates the processing of information, including its obtaining, holding, use and disclosure. The second principle of the DPA is as follows: “Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.”

Question 9

In your view, how well does the DPA work? Please outline the DPA’s main strengths and weaknesses and any proposals for changes you would like to see made, including suggestions for their implementation.

Question 10

In your view, how well do public authorities and private organisations adhere to the second principle of the DPA? How valuable do you believe the second principle is? Please provide examples and the reasoning behind your response.

Question 11

What technical, institutional or societal barriers stand in the way of the effectiveness of the DPA? Please provide examples.

Question 12

What further powers, safeguards, sanctions or provisions do you believe should be included in the DPA.

Question 13

Are there any other aspects of UK or EU law (such as EU Directive 95/46/EC) that impact positively or negatively on data sharing or data protection? Please provide examples.

Question 14

Are there any statutory powers unavailable that would enable better and more secure sharing of personal information – for example for identity authentication purposes – between a) public authorities and b) public authorities and private organisations? If so, what are they? Please provide examples and any steps you believe could be taken to improve matters.

Question 15

Are there any parts of the legal framework that place an unreasonable burden on business? Please provide examples. Please outline your proposals for streamlining the legislation to ensure that such burdens are minimised.

Section 4: Consent and transparency

Question 16

Is it clear whether and when you need individuals’ consent to share information about them? Are you clear about the form that consent should take? Please provide examples. Please provide details of any initiative you have been involved in that has been based on consent.

Question 17

What, if any, barriers would a requirement for gaining consent create to the sharing of personal information? Please explain your reasoning.

Question 18

Do you have any suggestions on how to make the sharing of information more
transparent? For example, should individuals be given strengthened access rights? And if so, how?

Should organisations be expected to do more to explain their use and sharing of personal information to the public? And if so, how?

Question 19

How can we best ensure that information sharing policy is developed in a way that ensures proper transparency, scrutiny and accountability? For example: In your view, how valuable is the Information Commissioner’s recently published Framework code of practice for sharing personal information. In your view, how valuable are privacy impact assessments along the lines
announced by the Information Commissioner on 11 December?

Section 5: Technology

Question 20

What impact in your view have technological advances had on the sharing and
protection of personal information? Please provide examples.

Question 21

Should the law mandate specific technical safeguards for protecting personal
information? For example, should there be an explicit requirement that all personal information held on portable devices be encrypted to a particular standard?

Question 22

How, in your view, could ‘privacy enhancing techniques’, such as the anonymisation or pseudonymisation of personal information, help safeguard personal privacy, whilst facilitating activities such as performing medical research? Is sufficient advice about the deployment of such techniques available? Are you confident about using them? What are the barriers to using them?

Section 6: International comparisons

Question 23

Are you aware of any jurisdictions whose legal framework for sharing and protecting personal information contains features that could be useful in a UK context? Please provide examples.

Question 24

Do you have any international examples of good practice in the sharing of personal information that could or should be adopted by the UK?

Question 25

Do you have any knowledge of jurisdictions that have adopted a particularly
permissive or restrictive approach to sharing personal information? What have the consequences of this been?

Question 26

Are you aware of significant differences in public attitudes to the sharing of personal information in other countries? Please provide examples and an explanation for why you believe this to be the case.

Section 7: Additional questions

Question 27

Are there any additional issues on the sharing of personal information and protection of personal information that this review should be considering? Do any of these issues apply specifically to your sector?

Question 28

Please set out any additional suggestions or observations you have that you believe will be of assistance to the review.