On 25 October 2007, the Prime Minister announced a review into the way personal information is shared and protected in the public and private sectors, to be conducted by Mark Walport, Director of the Wellcome trust, and Richard Thomas, the Information Commissioner. A public consultation was conducted between December 2007 and February 2008 and the final report was published on 11 July 2008.
The review was commissioned in response to recent problems and anxieties in relation to the sharing of personal information, but was brought into focus by the subsequent data loss by Her Majesty’s Revenue and Customs in November last year. The review makes a number of general and specific recommendations, aimed at redressing the balance between maintaining public confidence and the security of personal information on the one hand, and maximising the potential benefits of sharing personal information to individuals, businesses and society on the other.
Recommendations are made in the following five areas.
Recommendations to transform the culture surrounding data sharing
The review concluded that there is a general lack of transparency and accountability regarding the use of personal information in both public and private organisations. This includes a lack of awareness within organisations as to who are the officers responsible for data protection issues and who would take responsibility in case of any problems. The lack of information provided to data subjects regarding how their information was being used was also highlighted as an area of concern. In addition, the review draws attention to the role individuals could and should play in protecting their own information.
A number of specific ‘good practice’ recommendations were made to address the issues of transparency and accountability, including recommendations for:
- companies to conduct annual internal reviews and report the results to shareholders;
- the publication of readily accessible ‘Privacy Policies’ outlining what personal information is held, why it is held, what it is used for, who can access it and how long it will be held for;
- the publication of public bodies’ data-sharing practices and schemes;
- the publication of lists of third parties with whom organisations share, exchange or sell personal information;
- the use of clear language when obtaining consent from data subjects;
- greater efforts to be made towards allowing data subjects to access and correct their personal information once given;
- organisations to continually review and enhance their corporate governance arrangements, including the training given to staff handling personal information; and
- the use of authenticating credentials, as opposed to personal information, as a means of providing services where possible.
The review acknowledges the risks inherent in the increased use of large and easily accessible databases, but also highlights developments in the security systems used to protect the contents of these databases. Caution is urged when planning such databases, such that use, access and retention of data should be constricted to what is necessary, not what is enabled by the technology.
Recommendations to clarify and simplify the legal framework
The legal framework currently governing data sharing is criticised in the review as lacking clarity, responsiveness and bite. It is argued that its complex and confusing nature often creates uncertainty within organisations genuinely attempting to comply with the law.
The review is very critical of the Data Protection Directive (95/46/EC) and strongly recommends that the UK actively promotes reform of the European data law. The review also recommends that legislation should be enacted in the UK to require the Information Commissioner to publish a data sharing code of practice and to enable the Information Commissioner to endorse more specific guidance to supplement this code. It is proposed that the code of practice is based on the Framework Code of Practice for Sharing Personal Information published by the Information Commissioner’s Office (ICO) in 2007 and is approved by Parliament.
In order to quickly remove or modify existing legal barriers to data sharing, the review advocates giving the Secretary of State the power to do this by Order, subject to having conducted a privacy impact assessment, sought the opinion of the Information Commissioner and gained the approval of both Houses. This is analogous to the power granted by section 75 of the Freedom of Information Act.
Annex F to the review contains a number of proposals for changes to the Data Protection Act 1998 prepared by the ICO. These were submitted during the course of the review and are not the subject of a specific recommendation.
Recommendations to enhance the effectiveness of the ICO
In addition, the following specific recommendations were made in relation to the powers and funding of the ICO:
- the maximum level of penalties set under section 55A of the Data Protection Act 1998 should be the same as those available to the Financial Services Authority;
- the new power to impose fines created by the Criminal Justice & Immigration Act 2008 should be brought into force by 8 November 2008;
- organisations should notify the Information Commissioner of significant data breaches as a matter of good practice and the Information Commissioner should consider any lack of notification when imposing penalties for data breaches;
- the Information Commission should be given the power to enter premises for the purposes of inspection and a duty should be imposed on the relevant organisation to co-operate with the inspection and provide any necessary information;
- the funding of the ICO should be increased (by an anticipated amount of £6 million per annum) by introducing a self-assessed multi-tiered notification fee system, based on the size of the data controller;
- the ICO should be re-structured to comprise a multi-member commission, in place of the current single commissioner.
Recommendations to assist research and statistical analysis
In the review, Mark Walport and Richard Thomas commend the value of research and statistical analysis which relies on the use of personal information and express concern that this may be hindered by the current legal uncertainty surrounding data sharing. To address this issue, it is suggested that new legislation is enacted (similar to the Statistics and Registration Service Act 2007) which creates an accreditation system for researchers, who may then work in ‘safe havens’ according to strict codes of practice. The review also recommends that the NHS develops a system to allow the identification of patients by approved researchers who may then be approached to take part in clinical studies for which patient consent is required.
Recommendations to protect personal information held in publicly available sources
The review calls for a Government enquiry into on-line services which aggregate personal information from publicly available sources, such as the electoral register, company registers, phone books and the internet. The ICO has previously issued enforcement notices against such services, but expects this problem to increase dramatically as more electronically accessible information enters the public domain, particularly with the proliferation of social networking sites.
It is also recommended that existing legislation be amended to prevent the sale of the edited electoral register - it is currently available for sale to anyone for any purpose. Although individuals are able to opt out of inclusion in this register, Mark Walport and Richard Thomas felt that it was “an unsatisfactory way for local authorities to treat personal information.” As the edited register serves no other purpose, it is recommended that it is abolished.
The review requests a timely response from the Government and a clear timetable for implementation of the above recommendations.