The calls come in a Data Sharing Review produced by Commissioner
Richard Thomas and Dr Mark Walport, a director of the Wellcome
Trust and member of the Government's Council for Science and
Technology.
The report was commissioned by Prime Minister Gordon Brown in
the immediate aftermath of the loss of records on 25 million people
by HM Revenue and Customs last year.
The report recommends the extension of the powers of the
Information Commissioner's Office (ICO) to allow it to inspect an
organisation's data protection systems even against the will of
that organisation.
In the aftermath of the HMRC scandal, Brown allowed the ICO the
power to force inspection of public bodies' systems. Thomas has
previously called for the extension of that power into the private
sector.
"The key to effective enforcement lies in the regulator’s
ability to undertake necessary investigations and inspections, so
that regulatory failures can be identified and corrected," said the
report. "In those cases where there is resistance the power to
inspect will need mandatory back-up. Indeed, without an incentive
or legal compulsion, it is doubtful that many organisations would
want to take the risk of consenting to an inspection."
The report also says that the electoral register should not be
for sale. Local authorities sell a version of the electoral roll to
marketers, allowing people to opt out of inclusion on the version
that is sold.
"We feel that selling the edited register is an unsatisfactory
way for local authorities to treat personal information," said the
report. "It sends a particularly poor message to the public that
personal information collected for something as vital as
participation in the democratic process can be sold to ‘anyone for
any purpose’."
The report is the fifth following the HMRC scandal and other
data losses by public bodies, including the Ministry of
Defence.
Overall Walport and Thomas's Review argues that organisations
have to transform the way they use and share personal information
and points out that because public confidence in organisations’
ability to protect personal information had been seriously damaged,
remedial measures were needed to restore trust in data sharing.
"Public confidence in how personal information is safeguarded is
evaporating," Mark Walport, one of the authors of the Review, told
OUT-LAW. We recommend that decisions should be made in the context
of a clear statutory code of practice" linked to "stronger
leadership and accountability in organisations that use and share
personal information [and] to greater openness and transparency in
the way our information is handled by others."
The report has asked that the Government implement its measures
and report on its progress in 18 months' time.
"The research community will be happy that the Review has
recommended the wider use of personal data for research purposes
subject to certain security considerations and the Government will
be pleased that they have been recommended a general order making
power that facilitates data sharing, subject to consultation
process with the ICO," said Dr Chris Pounder, a data protection
specialist with Pinsent Masons, the law firm behind OUT-LAW.
"The Review has lot to commend it, but personally speaking I
would have liked to see recommendations that empower the individual
and Parliament to scrutinise data sharing policy, for example by
making it easier for data subjects to object to some data sharing,
or to strengthen the weak Parliamentary processes associated with
the scrutiny of order making powers by Ministers, or to allow the
Commissioner to challenge the actual orders through the Courts on
the grounds that the order is an infringement of the human rights
obligations," he said.
The Thomas / Walport recommendations
Recommendation 1: As a matter of good practice,
all organisations handling or sharing significant amounts of
personal information should clarify in their corporate governance
arrangements where ownership and accountability lie for the
handling of personal information.
Recommendation 2: As a matter of best practice,
companies should review at least annually their systems of internal
controls over using and sharing personal information; and they
should report to shareholders that they have done so.
Recommendation 3: Organisations should take the
following good-practice steps to increase transparency:
(a) Fair Processing Notices should be much
more prominent in organisations’ literature, both printed and
online, and be written in plain English. The term ‘Fair Processing
Notice’ is itself obscure and unhelpful, and we recommend that it
is changed to ‘Privacy Policy’.
(b) Privacy Policies should state what
personal information organisations hold, why they hold it, how they
use it, who can access it, with whom they share it, and for how
long they retain it.
(c) Public bodies should publish and maintain details of their
data-sharing practices and schemes, and should record their
commitment to do this within the publication schemes that they are
required to publish under the Freedom of Information Act.
(d) Organisations should publish and
regularly update a list of those organisations with which they
share, exchange, or to which they sell, personal information,
including ‘selected third parties’.
(e) Organisations should use clear language
when asking people to opt in or out of agreements to share their
personal information by ticking boxes on forms.
(f) Organisations should do all they can
(including making better use of technology) to enable people to
inspect, correct and update their own information – whether online
or otherwise.
Recommendation 4: All organisations routinely
using and sharing personal information should review and enhance
the training that they give to their staff on how they should
handle such information.
Recommendation 5: Organisations should wherever
possible use authenticating credentials as a means of providing
services and in doing so avoid collecting unnecessary personal
information.
Recommendation 6: Any changes to the EU
Directive will eventually require changes to the UK’s Data
Protection Act. We recognise that this may still be some years
away, but we nonetheless recommend strongly that the Government
participates actively and constructively in current and prospective
European Directive reviews, and assumes a leadership role in
promoting reform of European data law.
Recommendation 7(a): New primary legislation
should place a statutory duty on the Information Commissioner to
publish (after consultation) and periodically update a datasharing
code of practice. This should set the benchmark for guidance
standards.
Recommendation 7(b): The new legislation should
also provide for the Commissioner to endorse context-specific
guidance that elaborates the general code in a consistent way.
Recommendation 8(a): Where there is a genuine
case for removing or modifying an existing legal barrier to data
sharing, a new statutory fast-track procedure should be created.
Primary legislation should provide the Secretary of State, in
precisely defined circumstances, with a power by Order, subject to
the affirmative resolution procedure in both Houses, to remove or
modify any legal barrier to data sharing by:
- repealing or amending other primary legislation;
- changing any other rule of law (for example, the application of
the common law of confidentiality to defined circumstances);
or
- creating a new power to share information where that power is
currently absent.
Recommendation 8(b): Before the Secretary of
State lays any draft Order before each House of Parliament, it
should be necessary to obtain an opinion from the Information
Commissioner as to the compatibility of the proposed sharing
arrangement with data protection requirements.
Recommendation 9: The regulations under section
55A of the Data Protection Act setting out the maximum level of
penalties should mirror the existing sanctions available to the
Financial Services Authority, setting high, but proportionate,
maxima related to turnover.
Recommendation 10: The Government should bring
the new fine provisions fully into force within six months of Royal
Assent of the Criminal Justice & Immigration Act, that is, by 8
November 2008.
Recommendation 11: We believe that as a matter
of good practice, organisations should notify the Information
Commissioner when a significant data breach occurs. We do not
propose this as a mandatory requirement, but in cases involving the
likelihood of substantial damage or distress, we recommend the
Commissioner should take into account any failure to notify when
deciding what, if any, penalties to set for a data breach.
Recommendation 12: The Information Commissioner
should have a statutory power to gain entry to relevant premises to
carry out an inspection, with a corresponding duty on the
organisation to co-operate and supply any necessary information.
Where entry or cooperation is refused, the Commissioner should be
required to seek a court order.
Recommendation 13: Changes should be made to
the notification fee through the introduction of a multi-tiered
system to ensure that the regulator receives a significantly higher
level of funding to carry out his statutory data-protection
duties.
Recommendation 14: The regulatory body should
be re-constituted as a multi-member Information Commission, to
reinforce its status as a corporate body.
Recommendation 15: ‘Safe havens’ should be
developed as an environment for population-based research and
statistical analysis in which the risk of identifying individuals
is minimised; and furthermore we recommend that a system of
approving or accrediting researchers who meet the relevant criteria
to work within those safe havens is established. We [Thomas /
Walport] think that implementation of this recommendation will
require legislation, following the precedent of the Statistics and
Registration Service Act 2007. This will ensure that researchers
working in ‘safe havens’ are bound by a strict code, preventing
disclosure of any personally identifying information, and providing
criminal sanctions in case of breach of confidentiality.
Recommendation 16: Government departments and
others wishing to develop, share and hold datasets for research and
statistical purposes should work with academic and other partners
to set up safe havens.
Recommendation 17: The NHS should develop a
system to allow approved researchers to work with healthcare
providers to identify potential patients, who may then be
approached to take part in clinical studies for which consent is
needed.
Recommendation 18: The Government should
commission a specific enquiry into on-line services that aggregate
personal information, considering their scope, their implications
and their regulation.
Recommendation 19: The Government should remove
the provision allowing the sale of the edited electoral register.
The edited register would therefore no longer serve any purpose and
so should be abolished. This would not affect the sale of the full
register to political parties or to credit reference agencies.
Footnote: Dr Chris Pounder was a consultant with Pinsent Masons until September 2008. He now runs a new training business, Amberhawk.
