Beyond the principles
Controversies over public sector data gathering obscure the often necessary role of data sharing. In reviewing practice we must look beyond the Data Protection Act
In light of the recent data security fiascos which have hit the headlines, it is easy to say that “data sharing” in the public sector is not without its difficulties. However, data sharing amongst public authorities and with other organisations is essential to the very existence of many public services. Indeed “partnerships involving local public bodies, such as local authorities, primary care trusts and the police are a significant feature of public delivery”: Audit Commission Press Release, “Governing Partnerships: Bridging the Accountability Gap” (October 2005).
But behind every data sharing initiative there are a plethora of considerations. When a public authority wants to share data, it has to consider not only the Data Protection Act (the “DPA”) itself: throw into the pot its compliance with administrative law, the Human Rights Act, some common law and a few specific obligations, and its proposals to undertake data sharing can be a bit of a mix. The combined effect is like “wading through treacle” (“Media Law”, The Law Society Gazette, 22 January 2004).
Most of us have no real issue with the collection of our personal information where it is to be shared with others in the fight against terrorism, or where we will benefit from improved services, and certainly public authorities can process our personal data without our consent where certain conditions are met under the DPA. However, whilst public authorities have the power to share data within the confines of this mixture, each condition has to be carefully scrutinised, and data sharing agreements and protocols still remain to be put in place, to ensure the data sharing does not go beyond the scope originally set out.
In undertaking any data sharing exercise, a public authority needs to address competing demands – to protect the privacy of its local constituents, but at the same time promote openness and transparency with regard to how it operates and functions. In spite of such competing interests, the UK regulator, the Information Commissioner’s Office, maintains that the “Data Protection Act  does not stop information sharing where appropriate” (“Information Sharing to Improve Services for Children”).
In balancing the act of sharing personal data with other bodies with the need to protect the privacy rights of the individual, public sector bodies, as data controllers, must also comply with the eight data protection principles. Not only this, such a balancing act must be undertaken in an ever growing information and technology driven community and a never ending stream of e-government initiatives.
But data sharing could be a powerful tool in the development of services and the prevention of incidents, and the DPA is often perceived as getting in the way of doing this. There are of course some stark examples of such perceptions – if information had been shared with social services, the deaths of two elderly pensioners, following the disconnection of their gas supply, might have been prevented. In this instance the sharing of information did not occur on the basis that the DPA had somehow prevented the data sharing between the gas supplier and the relevant social authorities.
Contrast this with the case of Ian Huntley, the Soham murderer. In his case, the DPA was criticised for hindering and perhaps even preventing the transfer of sensitive information between public authorities which would probably have prevented Huntley from becoming a school caretaker.
The issue in the Huntley case, in contrast to that of the two pensioners, is data retention issues preventing data sharing. Here the police had deleted electronic information in what they thought was a necessary destruction process where they could not share information they had with other organisations. From this we must assume that data sharing initiatives will be of no value if social services fail to retain data to share in the first place, and as such the initiatives being set up to encourage data sharing must be done in light of the need to understand data retention issues better. Sadly, in both of the above cases, the UK’s Information Commissioner was of the view that the DPA would not have prevented the sharing of information.
Current review and consultation
Clearly, in both of these instances, if there had been data sharing across the relevant sectors, harm might have been prevented. Whilst guidance in this area has been thin on the ground, the difficulties relating to the sharing of personal information now form part of a review by Dr Mark Walport and Richard Thomas, the UK Information Commissioner, with their consultation on the use and sharing of personal information in the public and private sector having closed last month.
Data sharing initiatives can elicit fears and concerns regarding what the information will ultimately be used for, and just who will have access to it. But as public authorities share and collect information there are other issues to consider, such as what to do with the sheer volume of data that will be created, just how will authorities actually be able to sift through such vast quantities of data to get what they want, and will the holding of such quantities of data be proportionate to the problem in the first place.
The review and consultation will look at both successful and unsuccessful data sharing initiatives and whether there is a need to amend the current legislation. In particular they will be examining whether there is a real need to give greater powers and sanctions to the Information Commissioner.
The Information Commissioner has never said or implied that the DPA can, or should provide a detailed set of “dos and don’ts”. With the ever changing, technology driven environment in which we live, it will be increasingly difficult to provide a more stringent set of data protection rules that could be fluid enough to cope with such a changing environment. Data sharing is a complex area which clearly involves many facets of, perhaps, equal importance; the issue does not “hang” solely on data protection compliance. This is one of the weaknesses of carrying out any review that seeks to have as its focus the DPA, and we have to look at the broader picture and take into account not just issues such as confidentiality and compliance with article 8 of the Human Rights Act, but other impediments to data sharing such as data quality, and cultural, professional and IT barriers.
In 2006, the government introduced a new measure with the intention of sharing data. The Electronic Social Care Records (ESCR) initiative in England was intended to store details of each user of social services in electronic format. That information was to be accessible by a number of different social care and health professionals. At the time of its introduction the scheme’s compliance with the DPA came under challenge, and despite the obvious benefits of sharing data, there remained fundamental concerns over data access, security, accuracy and confidentiality.
Despite being some two years on, a survey commissioned by the “NHS Connecting for Health Electronic Social Care Record Implementation Board” has demonstrated that the implementation of the ESCR initiative has considerable ground still to cover. Whilst most authorities have partially implemented procedures, much work remains to be done. One fundamental issue to the implementation of the plan was simply the work involved in moving from paper to electronic records – an issue that appears to be more one of persuading staff to implement the plan than one of any physical barrier. In addition, however, the survey identified cultural and professional barriers, and a lack of IT solutions and general IT literacy, as reasons for the failure to implement electronic document management.
That said, there are of course successful examples of data sharing, such as the data sharing schemes permitted by Disclosure Scotland and the Criminal Records Bureau. Notably, these are both provided for by statute. Under these schemes, employers and others are provided with information as to whether individuals are considered suitable to work with children.
Whilst there remains perhaps a degree of naivety at some levels within government, and a need for greater understanding as to the wide ranging legislative issues related to data sharing, there are perhaps more pressing fundamental concerns, such as the sheer logistics of implementation and the ongoing monitoring required of such schemes. As we can see from the English ESCR, the resourcing and implementation may well prove to be greater hurdles than ensuring compliance with the DPA itself.
Valerie Surgenor is a senior associate with MacRoberts