Over the past years there has been a growth in data-matching and information sharing. Many of the initiatives have met problems as the legal powers of those involved and the proper ways to handle data sharing were unclear. The PIU report reviewed the problems and issued a set of recommendations. The public expect ‘joined-up’ and ‘personalised’ public services. This involves using new technologies that make data sharing much easier and affordable, but there remains doubt about how reliable or secure some of these technologies really are. The report recognises that there are problems with the public acceptance of data sharing, as not everyone sees the benefits of it.
Legal Issues
The PIU report’s aim is to ensure that, once information has got lawfully into the hands of any central or local government body for any purpose whatsoever, it can be shared with any other central or local government body for any other purpose. This is easily recognisable as a breach of the second principle of the Data Protection Act 1998, which states that information gathered for one purpose cannot be used for another purpose. Although the report states that it is not a review of the legislative framework, it nevertheless covers some legal issues. In the past few years a new legal framework has evolved, most notably the Data Protection Act 1998 and the Human Rights Act 1998, leading to significant changes in the relationship between the citizen and the state. This legal framework poses a great problem for the processing of data and personal data by central and local government and the report ignores many of these issues.
Under the Data Protection Act 1998, schs 2 and 3, grounds need to be found if personal data are to be processed lawfully. Public authorities need to look at the purposes for which the information was originally collected and ensure that no new purposes have been added. The doctrine of ultra vires dictates that central government and local authorities and other independent bodies must have the statutory powers to share data in the first place whereas in fact some public authorities have specific statutory limitations placed on them. Sharing data amounts to a disclosure to another data controller, not a data processor, and so the implications are that the data subject must be notified of this disclosure. Furthermore, there may be legal issues arising from the common law of confidence.
Potential for better use
The Government’s commitment to e-government means it aims to have all central government departments able reliably to manage their electronic information as corporate records by 2004. It hopes this will lead to more effective and better targeted policy-making and evaluation, creating more efficient, streamlined services while at the same time tackling the fight against crime and fraud. However, one the great barriers to e-government is data protection. The PIU report effectively marginalises data protection to enable data sharing to take place. Where there is no consent, the Government wants to pass legislation in order to have a lawful ground for processing under the Data Protection Act 1998. The problem for the Government is that, if a central or local government body lacks the statutory power to do what it wants to do with our personal information, no amount of consent from the individual can make up for this lack of statutory basis. This is the law at the moment. However, under the PIU report the Government wants us to be able to waive our rights by giving consent. This consent can hardly be given freely if individuals need some government service or benefit of some kind.
Twin Objectives
The report states that in order to share data successfully, enhancing privacy and maintaining public trust is key. The report states that public services should pursue the twin objectives of enhancing privacy and making better use of personal data to deliver smarter public services. These aims are not mutually exclusive and, says the report, it is possible and desirable to achieve both. This view is endorsed by the Prime Minister.
Key principles
Achieving these twin objectives requires a more strategic approach by the public sector and the report suggests that this approach is required by the services themselves, rather than by Government. The report highlights four key principles to guide the actions of public services:
- using data efficiently and effectively to reach goals
- adopting the least intrusive approach – this is similar to the idea under the Third Principle of the Data Protection Act 1998 that personal data should be adequate, relevant and not excessive
- citizens should have a greater say in how their personal data is used to deliver public services
- if data is used without an individual’s consent, then there must be openness and transparency in the policy making process.
Barriers
The Government identified a number of barriers to its data sharing project. First, there is a lack of public trust in the public sector’s use of, motives for and security of information. Secondly, the quality of data is variable. Thirdly, the public sector has been slow to adopt technology. Fourthly, the public sector approach to collection, use and sharing of data has been inconsistent in the past. Finally there are administrative barriers in various statutes and so there needs to be a greater awareness of the legal framework among public sector bodies.
Strategy
The report focuses on a strategy that requires change in five areas; building public trust, improving accuracy, making greater use of technology, modernising data management and consulting on “possible changes to improve legislative processes for establishing data-sharing gateways.”
Key Recommendations
There are 25 main recommendations, but only three recommendations for consultation. Three of the recommendations in the report were subject to a consultation process which ended on
- the development and adoption of a Public Services Trust Charter for the handling of personal information by public services
- the introduction of legislation to enable public bodies to share information with the consent of the data subject
- the establishment of datasharing gateways through secondary legislation, including gateways for datasharing without consent in specified circumstances and subject to a codified list of safeguards and adequate Parliamentary scrutiny.
Many general best practice recommendations are consistent with the Data Protection Act 1998 – for example, laying down clear principles for collection, use, access, management and correction of data. However, it is also recommended that the public sector needs to build public trust by, for example, appointing a named senior manager at board level with clear responsibility for managing and handling personal information, ensuring citizens are aware of their rights and what the law allows, and ensuring there are simple procedures in place for correcting mistakes. The public sector also needs to improve the accuracy and reliability of personal data, which means there should be basic standards to which public bodies must adhere. This includes labelling key data sets and carrying out internal and external audits. However, although these safeguards are supposed to make us happy about the data sharing, there is nothing to prevent central and local government from building a total profile of each of us.
Building Public Trust
The report recognises the need to protect privacy, but also admits there is a balance to be struck between individual rights and the wider public interest. Public interest is defined extremely widely and some civil liberties groups have highlighted that the potential for abuse and errors is huge.
The report’s recommendations lay down principles that the public sector should adhere to in order to build public trust, drawing attention to a Public Services Trust Charter and the Service Specific Privacy Statement. These appear remarkably similar to a privacy policy and a data protection notice. Surely this is a recipe for total confusion. Why not simply use the existing Data Protection Act 1998, which is a perfectly sensible and legitimate piece of legislation? Perhaps the Government does not want to use it as it is too protective of the rights of individuals and too inconvenient for central and local government’s aim of dragging their services into the 21st century.
Limitations
There are many limitations to the report, some of which I have already highlighted. The report puts the reality that data sharing will happen at its heart, rather than putting privacy and the Data Protection Act 1998 at the centre. The legal analysis is poor. It seems to come to the unavoidable conclusion that the public authorities need statutory power to share data. The report does not lay out clearly how the Trust Charter approach sits with the Data Protection Act 1998 and does not clearly explain who is the data controller once data has been shared. Furthermore, what is the position if consent is withdrawn?
The Report does not tackle head-on the issue of entitlement cards and the privacy implications of use. If the Government’s consultation paper on entitlement cards becomes a reality, the impact of data sharing between central and local government would have a huge impact on the privacy rights of individuals.
The reasonable solution in a democratic society is surely to pass legislation on a piece-meal basis if a government department finds that it does not have the power to do what it wants to do under a particular piece of legislation. This might be administratively burdensome, but this is what government is all about. If it wishes to govern us, then it should do so under the appropriate powers.
Conclusion
The report has created a culture of openness at odds with data protection law and it is weak on its overall direction. However, increased data sharing in the public sector seems to have become regarded as an inevitable development; the technological imperative is such that we have no choice but to accept it. It may be, for the time being at least, that this is true. No one could stop the growth of the use of the private car or the Internet – possibly there are some technologies to which we must simply adjust, but at the very least individuals deserve more real legal protection from potential abuses than is currently proposed in the PIU report.
For further information on the issues, see www.piu.gov.uk and www.cabinet-office.gov.uk.
Sarah Williams is a Trainee Solicitor in the Information & Technology Group at Masons.