The following is my take on the data sharing paper just released by the
DCA - so any disagreement please go ahead
In essence, the Government want data sharing and has worked out that the
PIU's original "consent" route is a blind alley (we have always said at
Masons that consent cannot make an unlawful act, lawful). Consequently
it is looking at statutory gateways to facilitate data sharing (White
Paper and draft Bill promised next year). Of course, the dilemma is that
if there is a statutory gateway which permits data sharing, you can
waive the proverbial two fingers at the Data Subject. This is of course,
not the message that the DCA want to give.
The result is that the DCA refer to privacy safeguards in terms of
making the systems secure and having accurate personal data which the
data subject can exercise rights access. There is little prominence to
the idea that data subjects might object to the data sharing in the
first place.
My solution to permit data sharing is to focus on the right to object. I
think you could argue that instead of the PIU's original consent
approach, a statutory gateway which facilitated data sharing balanced
with application of the First Principle (i.e. data subjects have prior
knowledge about data sharing) PLUS an easier to exercise right to object
to data sharing (i.e. dropping the "substantial damage or substantial
distress" requirement for the exercise of the right) could be the
solution which provides the statutory gateway for data sharing AND an
appropriate level of protection for data subjects. Data Subjects after
all could say "NO". Such an approach would engender trust as data
subjects who trust the data sharing will not exercise this right.
There are two conclusions which can be drawn from the fact that the DCA
has not identified this "right to object" route:
(a) the DCA has missed the right to object option in its
analysis, or
(b) it has seen the right to object option and has omitted it
because it thinks that too many data subjects would object!
It is not for me to guess which of the above applies.
I also think that any data sharing arrangements should be taken out of
the hands of government as it has a vested interest in the ability to
share - I think here, Lindop's suggestion that an independent Data
Protection Authority should the balance is the correct one which has a
chance of creating the necessary "trust factor". So let the OIC approve
the framework which permits data sharing.
My own view is that the ID card and data sharing are two sides of the
same coin - it is noteworthy that the Government continues to treat them
as separate initiatives.
Chris.
KEY QUOTES FROM THE DCA PAPER
"In particular, we believe that the concept of a general power to share
data with consent is flawed and we will not be pursuing the idea
further. On current thinking, legislation will provide a general power
to set up data sharing gateways via secondary legislation. We are also
considering what extra safeguards may be appropriate if such legislation
is to form a package that properly balances the needs of more efficient
and effective administration and delivery of public services with
individuals' legitimate expectations of respect for their privacy and
the need to maintain their trust."
"The Home Office has carried out a consultation on Entitlement Cards and
Identity Fraud, which ended in January 2003, and a decision on how to
progress is expected shortly. Clearly, the introduction of such a secure
system to establish identity would have the potential for a major impact
on data sharing."
"The introduction of electronic data record management systems (partly
in order to help with preparation for the full implementation of the
Freedom of Information Act in 2005) is giving public sector bodies the
opportunity to build on the comprehensive internal security procedures
that already exist - and which are also being reviewed in the move to
ISO17799/BS7799 compliance." (CP Comment:2005 is mentioned)
"Our analysis suggests that one of the major inhibitors to data sharing
is a misunderstanding of the basic legal position on administrative
vires, not any particular problems caused by the Data Protection Act
itself (the view, mistakenly, of many practitioners in the field). If a
public body lacks the vires to carry out a function or deliver a service
or policy (to which data sharing is necessary or reasonably incidental),
then neither consent nor a specific information gateway on its own can
solve the problem."
"In terms of further enabling legislation, our judgement is that there
is little purpose in progressing the idea of a general law to allow data
sharing with consent. Consent is often already required to address
confidentiality issues, where these arise, so a general consent
provision is unnecessary here. Consent, on its own, is frequently
unnecessary in ensuring Data Protection Act compliance (it is just one
of the Act's several Schedule 2/3 conditions, any of which, if met,
provide a legitimate condition for the processing of data). Our view is
that the starting point in considering the lawfulness of data sharing
needs to be the vires for the substantive activity to be undertaken, not
the sharing of data per se: in general, data sharing should not be seen
as an activity in its own right. If the vires exists for the activity to
which data sharing is a necessary adjunct, then it is quite possible to
imply the vires to share data, even in the absence of an explicit
gateway. Problems arise in relation to data sharing if there is a lack
of clear vires for the substantive activity and, if this is the case,
consent does not resolve the problem (one cannot consent to an ultra
vires action). Even the presence of clear vires, however, does not mean
that public bodies have a completely free hand to proceed with data
sharing: issues of confidentiality, human rights and the requirements of
the Data Protection Act must also be addressed".
"We do, however, see the potential in a general power to allow data
sharing gateways to be set up via secondary legislation (it would, of
course, be open to any regulations made under such a power to provide
whether or not consent should form part of the basis of data sharing,
dependent on the particular circumstances or service being facilitated
by the sharing of personal data)."
This e-mail has been scanned for all viruses by Star Internet using MessageLabs SkyScan services. For more information visit: www.star.net.uk.
_________________________________________________________________________________________
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|