Dear All,
Yes, Doreen is quite right. Data Protection and "Joint up Government" are
dragging L.A.'s in opposite directions. However ....
1. With the '98 Act, the Data Controller is "The Council". This should
make it easier as there is less scope for the older turf wars between
Depts. Data is "owned" by the Council. However, watch out for any special
rules for CT data and don't forget confidentiality as the old Common Law
duty still exists. Your new Notification should cover sharing data around
the Council - as long as it is only the data needed, etc. Of course, this
is all dependent on getting informed prior consent from the data subject
to the use of their data for a purpose other than that for which it was
originally supplied. Leeds is reviewing all its application forms (try
defining an "application form" in your Council) with the aim of including
statements about use of data and,if necessary, tick lists of purposes.
Don't forget that most people will agree to data sharing WITHIN the
Council if it might be to their advantage, e.g. they might get better
services, more benefits, bins emptied better, etc. Its not just about
stating the law. You may need to positively sell the advantages of
allowing personal data to be used within the Council. (One possible
practical solution is to use "Chinese Walls". If Dept. A wants data from
Dept. B to pursue a new initiative, B can send a letter to its clients
containing a message from A plus a replied paid envelope from A. If the
client is interested in the new service, they can reply directly to A to
ask for it. That way, A has no idea who B has mailed while B has no idea
who replied to A. And the clients have given consent to A - providing some
careful thought has been given the wording of the letter and they reply
using a pro forma.)
2. Where there are joint initiatives involving other public sector groups,
the use of contracts will be vital. A contract must cover all the rules
about the data to be shared, who has access, security measures, training
plus, naturally, strict rules about obtaining informed prior consent from
data subjects - where this is necessary. Leeds already has one such
contract in place for joint use of a housing waiting list by both our Dept.
and local housing assocs. Others are in the pipe line.
3. Where health data is concerned, it is vital to become acquainted with
"Caldicott Guardians" and "Caldicott Principles". The Principles are
relatively simple but the Guardians - a real person in each bit of the NHS -
will jealously guard access to any clinical data. This poses severe
problems. E.g. we have had to go through several hoops to get hold of data
about 4 year olds for next September's school entries. The practical
approach here is to create "Caldicott Agreements" WITH EACH PART OF THE
LOCAL NHS. You have to pick them off as they are incapable of acting
jointly! We have one such agreement with the local hospital trust and Soc.
Services to cover a Joint Care Planning Team getting little old ladies out
of hospital and back into the community. (For example, where hospital staff
access our data, they have to follow our published Security Policy and where
our staff access their data, they follow the hospital's Security Policy.) So
find out who your "Caldicott Guardians" are and get agreement to formal
statements of joint working.
4. Where there are public/private sector initiatives, I dread to think
what we are doing. Private sector attitudes to data protection are highly
variable. In the current climate, it is difficult to give practical
advice.
5. However, the general principles should be clear :-
- informed prior consent must be obtained
- some form of written and legally binding contract is necessary
- make sure each side swaps their security policy (Principle 7) or even
agrees a joint policy
- include staff awareness/training and get them to sign a piece of paper
that says "I understand and will abide by the Data Protection and other
rules."
Remember you can sack you own staff but you will have to sue others if
there is a total #@*%$*-up. If you don't have a contract, it is difficult
to sue a third party. So my advice is to actively pursue contracts in one
form or another and act defensively.
Roger Cook
I.T. Security Manager
Leeds City Council
______________________________ Reply Separator _________________________________
Subject: Data Protection/Modernising Government
Author: "Broom; Doreen" <[log in to unmask]> at Internet
Date: 17/08/00 11:28
All
Have any of your organisations given any thought to the above?
The Prime Minster wants this joined-up Government approach (I believe now by
2005) which I foresee as a means of sharing information within organisations
both internally and eventually externally. This makes sense in some
instances especially in connection with detection of fraud/crime prevention
etc.
How do you see our roles of Data Protection Officers because on the one hand
Mod Govt wishes to make information freely available and on the other, Data
Protection ensures that information is only obtained for one specific
purpose and not freely disclosed. Really, both these agendas contradict
each other.
I would be glad to receive any views on this.
Doreen Broom
Data Administrator
Scottish Borders Council
Council HQ
Newtown St.Boswells
Melrose
Borders TD6 0PX
Tel: 01835 824000 (Ext.5444)
Fax: 01835-825041
________________________________________________________________
This e-mail is privileged, confidential and subject to copyright.
Any unauthorised use or disclosure of its contents is prohibited.
The views expressed in this communication may not necessarily
be the views held by the Scottish Borders Council.
_________________________________________________________________
__________________________________________________________________________
Please ensure that any attachments to this E-Mail are checked for viruses.
__________________________________________________________________________
________________________________________________________________________
The information in this email (and any attachment) may be for the
intended recipient only. If you know you are not the intended recipient,
please do not use or disclose the information in any way and please
delete this email (and any attachment) from your system.
________________________________________________________________________
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|