The Data Sharing Review, commissioned by the Prime Minister last October to look at the use and sharing of personal information in the public and private sectors, published its final report today. The report argues that data sharing is shrouded in confusion and spotlights deficiencies in the organisational culture of those who collect, manage and share personal information. Its authors call for personal data to be handled, like any valuable asset, with respect.
We attended workshops with the reports authors and drafted a submission emphasising the risks rather than the benefits associate with data sharing. In the conclusion to our submission, we said, "If customers were to participate fully in the design and decision-making of the public services intended to benefit them it seems to us very unlikely they would come up with the centralised databases and data sharing approach of Transformational Government."
The report is 80 pages long (ignoring the annexes, all 112 pages of them) so if you don't have time to read it all, here are some points of interest.
The report neglects to make specific recommendations on any of the current or future large government databases. This is deeply regrettable as a missed opportunity to encourage respect for personal data and greater trust in the public and private bodies who store our data. Even if all the recommendations are followed, the impact of this report will be minor: a toothless regulator will gain some powers, medical research will become easier, and sale of the edited electoral register will be prohibited.
Based on the evidence we have collected and analysed, we believe change is necessary to transform the culture that influences how personal information is viewed and handled; to clarify and simplify the legal framework governing data sharing; to enhance the effectiveness of the regulatory body that polices data sharing; to assist important work in the field of research and statistical analysis; and to help safeguard and protect personal information held in publicly available sources.
Data Sharing Review Report Page 7
- No recommendations about any of the massive government databases
- Enhancing the effectiveness of the regulator
- Removing legal barriers to data sharing
- Developing a culture of respect for personnel data
- Research and statistical analysis
- Enquiry into online aggregation of personal information
- Time table please
No recommendations about any of the massive government databases
During the course of our review, many people made comment about specific Government initiatives involving the wider use of personal information, including proposals for a national identity card and the related national identity register, and about ContactPoint. Our task however was not to look at specific projects but to review the general principles governing the use and sharing of personal information. For this reason, we make no recommendations about individual data-sharing schemes.
Data Sharing Review Report Page 14
That the review ignores projects like the National Identity Register, ContactPoint, NHS Spine, which are planned to collate personal data on the entire population and represent a major concerns for many of those who responded to the consultation, is shameful. Our response to the Data Sharing Review noted that: "Large databases which need to grant access to many hundreds of users will inevitably fail along one of three axes - scale, functionality or security."
Enhancing the effectiveness of the the regulator
A strong regulator is also needed to facilitate these cultural improvements. It is essential that the regulator has sufficiently robust powers and sanctions available to it; and that it is resourced adequately. We welcome recent changes in the law to provide the Information Commissioner with a power to impose financial penalties for wilful and reckless breach of the data protection principles and call on the Government to implement these changes quickly. We also believe that stronger inspection and audit powers are required and that new funding arrangements to enable effective enforcement are long overdue. We also recommend an important change in the nature of the office of the Information Commissioner in order to improve the provision of guidance and the regulatory oversight of the handling and sharing of personal information. We recommend that a Commission with a supporting executive team replace the single Information Commissioner.
Data Sharing Review Report Page 3
The Information Commissioner's Office (ICO) is widely seen as "a toothless tiger", because it lacks resources and enforcement powers, amongst other reasons. The Data Protection Act should include stronger penalties and sanctions, and the ICO should be given increased powers and resources to more effectively carry out his duties.
Recommendation 9: The regulations under section 55A of the Data Protection Act setting out the maximum level of penalties should mirror the existing sanctions available to the Financial Services Authority, setting high, but proportionate, maxima related to turnover.
One reason why the Data Protection Act is not taken seriously in businesses, at Board level, is its lack of sanctions. Section 55A of the Data Protection Act provides a new fine for data controllers who recklessly or repeatedly allow significant data breaches. This new power was created during the course of the review and this recommendation hopes to increase the maximum fine.
To date prosecutions brought under the any part of section 55 have generally resulted in low penalties. Between November 2002 and January 2006, only two out of 22 cases ended with fines above £5,000. Other investigations led to frustrating outcomes, despite the harm caused to individuals and public confidence more generally. Since 2006 there have been two further successful prosecutions and a further individual cautioned, resulting in fines ranging between £3,300 and £4,200. This is pocket change to many businesses and does not present a significant deterrent, so we welcome the recommendation to increase maximum fines.
Recommendation 10: We also call on the Government to bring these provisions fully into force within six months of Royal Assent of the Criminal Justice & Immigration Act, that is, by 8 November 2008.
This is a welcome call on Government to hurry up. We also cover this in more detail later under the heading Time table please.
Recommendation 12: We recommend that the Information Commissioner should have a statutory power to gain entry to relevant premises to carry out an inspection, with a corresponding duty on the organisation to co-operate and supply any necessary information. Where entry or co-operation is refused, the Commissioner should be required to seek a court order.
There is wide support for the Information Commissioner to be given powers to carry out audits and inspections unannounced. The simple threat of a court order should be enough in most cases to allow voluntary access. That an individual or organisation has the right to review via court of law provides an important safeguard against bureaucratic abuse. The wording of law will require carefully review, but the concept is good.
Recommendation 13: We therefore recommend that changes are made to the notification fee through the introduction of a multi-tiered system to ensure that the regulator receives a significantly higher level of funding to carry out his statutory data-protection duties.
The ICO lack the resources to promote, let alone enforce, proper information management practices. Greater funding may to make the ICO slightly more effective. The review seeks to secure increased funding by levying a higher annual charge on the small percentage of organisations that hold data on millions of people. The figure for most data controllers will remain at £35.00 per year. In reality this will at most double their budget, and so business's will still know the odds of being caught are extremely low.
Removing legal barriers to data sharing
Recommendation 8(a): Where there is a genuine case for removing or modifying an existing legal barrier to data sharing, a new statutory fast-track procedure should be created. Primary legislation should provide the Secretary of State, in precisely defined circumstances, with a power by Order, subject to the affirmative resolution procedure in both Houses, to remove or modify any legal barrier to data sharing by:
- repealing or amending other primary legislation;
- changing any other rule of law (for example, the application of the common law of confidentiality to defined circumstances); or
- creating a new power to share information where that power is currently absent.
Recommendation 8(b): Before the Secretary of State lays any draft Order before each House of Parliament, it should be necessary to obtain an opinion from the Information Commissioner as to the compatibility of the proposed sharing arrangement with data protection requirements.
This is a bad recommendation. It weakens safety checks and removes powers from parliament, in exchange for giving the Information Commissioner the power to state an opinion. This opinion in practice can be ignored if the minister wants to.
Developing a culture of respect for personnel dataRecommendations 1 to 5 are rather woolly and will have little concrete effect. They recommend training for staff handling personnel data, knowing what personnel data you hold, what you do with it and what the controls are, etc. Recommendation 5 is the closest to a nod in the right direction, but even here its worth pointing out that most organisations do not need to authenticate you, many interactions can be done anonymously.
Research and statistical analysisRecommendations 15, 16 and 17 cover research and statistical analyses of personal data, for example, wherever possible, such data should be anonymised. The review team evidently received complaints from researchers because the report tries to make life easier for medical researchers. We note that legal barriers to information sharing are generally in place for good reasons, for example preventing incidents like HMRC losing vast amount of data. The second data protection principle states "Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes." Data Protection Act 1998
Enquiry into online aggregation of personal information
This is an enquiry that ORG will keep an eye on. It mentions social networking sites but we cannot comment further without more detail.
Recommendation 18: We recommend that the government should commission a specific enquiry into online services that aggregate personal information, considering their scope, their implications and their regulation.
Time table please
We strongly commend these recommendations to the Government and we look forward to a timely response. In particular we would like the Government, as part of its response, to set out a clear timetable for implementation and to report on progress in eighteen months time.
Data Sharing Review Report Page 10
P.S. It would be nice if the Government, as part of its response to this review, established a clear timetable for implementation so we do not end up one year from now asking "where are our reforms?"