The Law Commission has opened a consultation on the law around sharing of personal information between public sector organisations. Law Commissioner Frances Patterson QC says:
“It could be that more data sharing would improve public services but, if that is so, we need to understand why data is not being shared. Is there a good reason to prevent data sharing? Or is the law an unnecessary obstacle? Are there other reasons stopping appropriate data sharing? These are the questions we want to answer in this consultation.”
The legalities of data sharing is a subject which often confuses public sector officials. Local authorities, in particular, are often stumped by the “To Share or Not to Share” question, even if the sharing is for very good reasons (e.g. child protection or crime prevention). In some cases, even internal departments have felt constrained from updating each other about a change of a service user’s address.
More often than not, the Data Protection Act 1998 (DPA) is made the scapegoat for officials’ failure to fully understand the law. It is wrongly perceived as a barrier to data sharing despite offering a range of justifications (e.g. consent, legal obligation, protecting vital interests etc. (Schedule 2)).
Many attempts have been made to resolve this “problem”. In May 2011, the Information Commissioner published a statutory Code of Practice on data sharing. The code explains how the DPA applies to the sharing of personal data both within and outside an organisation. It provides practical advice to the public, private and third sectors, and covers systematic data sharing arrangements as well as one off requests for information. Under Section 52 of the DPA, the code can be used as evidence in any legal proceedings and can be taken into account by the courts and the Commissioner himself when considering any issue.
Despite the clear guidance in the code, the Government has sometimes toyed with the idea of new laws. Last year, according a story in the Guardian newspaper, proposals were to be published by the Cabinet Office minister, Francis Maude, which would make it “easier” for government and public-sector organisations to share confidential information supplied by the public:
“In May, we will publish proposals that will make data sharing easier – and, in particular, we will revisit the recommendations of the Walport-Thomas Review that would make it easier for legitimate requests for data sharing to be agreed with a view to considering their implementation,” said Maude, adding that current barriers between databases made it difficult for public sector workers to access relevant information.
“It’s clearly wrong to have social workers, doctors, dentists, Job Centres, the police all working in isolation on the same problems.”
The Guardian reported that the proposals are expected to include fast-track procedures for ministers to license the sharing of data in areas where it is currently prohibited, subject to privacy safeguards. I could not find the proposals on the web. Anybody know whether they were ever published?
Confusion around data sharing continues to reign! The tragic case of Daniel Pelka is one example. The recent report into the four-year-old’s death, published by the independent Coventry Safeguarding Children Board identified a number of missed opportunities where professionals across a number of agencies should have done more to protect Daniel. Amongst other things, it concluded that the sharing of information and communications between all agencies was not robust enough.
Ill informed comments about the current law (especially the DPA) do not help. In a recent Daily Telegraph article by Michael Gove, the Education Minister claimed that, whilst tying to understand the underlying causes of child exploitation, he discovered that OFSTED “was prevented by “data protection” rules, “child protection” concerns and other bewildering regulations from sharing that data with us, or even with the police.” There is nothing in the DPA which prevents this. Don’t just take my word for it. Read the Information Commissioner’s riposte to the learned Mr Gove.
Do we really need new laws on data sharing or a better awareness of the existing ones? My view is that the current law is adequate to regulate yet allow responsible data sharing. The DPA and the Data Sharing Code need to be properly understood. They can be a tool allowing responsible data sharing. Most public sector data sharing will be lawful if organisations comply with the Eight Data Protection Principles; particularly the First Principle which requires information to be processed fairly and lawfully. There are also numerous exemptions in the Act including where sharing is required for the purpose of prevention or detection of crime (section 29).
The Law Commission consultation runs until 16 December 2013 and the paper may be accessed at: http://lawcommission.justice.gov.uk/. Responses can be emailed to firstname.lastname@example.org or sent by post.