As information sharing moves higher up the government agenda for improving and modernizing public services in the UK, confusion over sharing personal data abounds within the sector. There is a need for a balanced approach to sharing personal information, but it must be done for good reason and while maintaining the principles of data protection.
The UK Information Commissioner’s Office (ICO) has launched a consultation on a proposed new framework code of practice for sharing personal information. The modernization agenda is very much based on sharing information. This is in response to a number of recommendations, among them those of Sir Michael Bishard following his enquiry into the murder of two schoolgirls in Soham by a man who succeeded in getting a job as a school caretaker, despite previous convictions. That information had not been shared among the relevant police forces at the time.
Another, more recent set of recommendations were made in the Varney report on modernization of public services. The report identified much duplication of effort and resources by the public sector when dealing with citizens; for example, 61 different benefits entitlement forms – the majority of which require the same standard information to be provided. Moreover, according to Sir David Varney, the author of the report, the public sector jointly holds 300 million contact details, which equates to almost five sets of information for every citizen.
The ICO’s consultation on its new framework code of practice comes at a time when there is increasing demand for sharing personal information. The importance of data protection has not diminished either; according to the information commissioner, 83% of the population rank protecting personal information as a serious or a very serious matter.
The framework code is hoped to help organizations adopt good practice when sharing personal information, and in keeping with the requirements of the Data Protection Act (DPA). Under the act, every organization must notify the ICO if it processes personal information manually or by computer. These organizations are known as data controllers, and are required to inform the ICO of certain details about their processing of personal information. The commissioner maintains a register of data controllers and the types of processing that they do. The register is open to the public and can be accessed from a link on the ICO’s website.
The DPA should not be used as a kind of shield for organizations to hide behind in order to avoid doing anything towards service improvements. As for the more practical side of the law, a look at the online register of data controllers shows what appears to be a simple registration process. Basically, the DPA requires organizations to register: the kind of information that is processed; what is done with it; what type of organization it is shared with; and if it will be transferred outside of Europe. It appears to be clear and flexible, but perhaps this simplicity cannot be reflected in the day to day applications of the law, when organizations face confusing, real-life scenarios with a lack of confidence.
In such circumstances, the ICO’s framework code may not help; it could just add to the confusion. After all, the ICO has published many practical guides and papers on dealing with general and specific data disclosure scenarios, but the DPA still remains a mystery to many. What would be better is regular and updated, free online tutorials where examples of applications of the law are demonstrated and put to the test. Perhaps it will be only then that the DPA will be better understood by the people who have to apply it.
Source: OpinionWire by Butler Group (www.butlergroup.com)