As many data protection practitioners are well aware, there is a whole raft of legislation affecting the sharing of personal data. There are laws to tell us we must share. There are laws to tell us we absolutely must not share. There are laws that say we can share specific personal data with specific named bodies. There are laws that suggest implicitly that we can share, maybe, if the wind is blowing in the right direction that day…but we could always be challenged on that sort of sharing. It’s a minefield for your data protection officer who dreads that question “Can we share that data?” The response inevitably, and somewhat unhelpfully, is often “Well, it depends….”. With monetary penalties available to the Information Commissioner of up to £500,000 if your organisation gets it horribly wrong, it’s hardly surprising such organisations are often risk-averse when it comes to data sharing with other third parties.
It seems almost impossible for any one individual to be knowledgeable about all of these different rules, hidden within numerous Acts of Parliament, Regulations, and Statutory Instruments (There is no consistent way of publishing these). Take for example birth and death data. Local authorities need to know where new-born babies are, not only to plan future school places but also to meet statutory Ofsted reach targets which require them to contact the new parent or parents to offer services for the child. It would seem obvious to acquire that information from their local authority registration service. Yet the Office of National Statistics point out that Statistics and Registration Service Act 2007 explicitly prohibits the local registration service from passing that information to its local council, its own employer, except for public health purposes.
The Law Commission, which has been studying this issue for the last year, says that it has only just begun to scratch the surface regarding the huge amount of different pieces of legislation that contain references to data sharing. It looks set to recommend this month to Government that there should be a full review of the law relating to information and personal data sharing.
The Government has for some time realised that this is a problem and wishes to “develop a better understanding of the economy and society, deliver more targeted and joined-up public services, and save public money lost through fraud, error and debt ” through effective, and legal, information sharing.
Current legislative and cultural barriers have resulted in a cottage industry of data sharing agreements between government departments and other partners, which can take time and resources to put in place. The government is well aware, at a time when Care.Data is the elephant in the room, that trust is a key issue in this process. How can the government ensure sensible data sharing to provide more efficient and less costly services for the public, which complies with all relevant legislation (the Data Protection Act 1998, the Human Rights Act 1998 and the more tricky issue of the unwritten common law duty of confidentially) and maintain the trust of the public? To address this it has decided to launch an open policy making process:
“The intention is to embark upon an open policy process that brings together those inside and outside government interested in maximising the benefits and minimising the downsides to citizens of personal data sharing within government.”
The Cabinet Office, in collaboration with other government departments, is leading on the work, driven by Cabinet Minister Francis Maude, who is responsible for the Government’s transparency policy. This work must now dovetail with the Law Commission’s proposals and ultimately the new proposed EU Data Protection Regulation. The process is being coordinated by Involve, a civil society organisation, which has been awarded £20,000 to progress the policy-making process. Initial meetings have been held, a mailing list and website established, and input is now required from anyone interested in helping to shape future data sharing of public sector information.
Organisations are actively being encouraged to become involved. Civil society organisations involved to date include the likes of Big Brother Watch, MedConfidential, No2ID, The Open Rights Group, The Children’s Society, New Philanthropy Capital, Nuffield Foundation, Open Data Institute, Which and the ESRC.
What happens next?
The expected future developments of the process are as follows:
The Law Commission will report in April recommending a review of the law relating to data sharing.
Proposals will be developed under the new open policy making process until mid-August.
A policy document will be produced for mid-September for MPs to consider upon returning from recess.
Legal Counsel to produce key draft clauses and a White paper for the Christmas break.
Open public consultation Jan – March 2015.
The next Government will consider any data sharing proposals in the first session of Parliament after the 2015 General Election.
Clearly there needs to be cross-party support for this project for it to proceed past the next election. It is however very likely that this will be supported by all main parties and should not be a showstopper. The engagement of the organisations mentioned above at this early stage is important. With high profile organisations such as those on board, ensuring that privacy concerns are addressed early, it reduces the chance of problems for the government later in the process… and enables the government to cash in on a potential £16 billion of estimated income from UK data assets.
More importantly for the public though, this more inclusive process will hopefully genuinely address those privacy concerns that appear to have been wilfully ignored during the Care.Data process. This week has seen media reports focussing on HMRC selling our tax records next, and the fact that children’s records are already sold; a fact parents were no doubt unaware of and certainly not consulted upon. It is therefore vitally important that practitioners and organisations on the ground, the ones physically sharing data on a daily basis, can feed into this process in its initial stages to highlight and bottom out real practical issues as well as legislative and cultural ones.
This is no small task, and the timetable is incredibly tight to keep those involved focussed. As Francis Maude said at the last meeting, we don’t even know if we will be able to come up with anything workable; it could simply be too difficult. It is however worth the effort if it simplifies the data sharing process and offers the public a better and cost-effective service, whilst taking into account privacy concerns.
It’s not too late to get involved. If you have experience of information sharing or are a data protection practitioner or privacy expert, you can sign up at the www.datasharing.org.uk website, or join the mailing list, and help shape the proposed White Paper.
Lynn Wyeth is the Information Governance Manager at Leicester City Council. Follow her on Twitter @LynnFoi.
We will be discussing these developments in our forthcoming information sharing workshops.