Ashfords Solicitors - Data Sharing Review Update

The Review was commissioned by Gordon Brown following the highly publicised loss of two CD Roms containing records of 25 million people by HM Revenue and Customs last year. The discs were lost when the discs were sent by HMRC to the National Audit Office for audit purposes. The act of data sharing itself was not contentious but the manner in which the discs were despatched without adequate and appropriate security was.

The first point to note is that the Review is not an authoritative statement of the law in relation to data sharing. It simply contains a number of recommendations which are designed to improve the way in which organisations which share data operate.

We have summarised the recommendations which are set out in the Review below, however for now, organisations should simply make themselves aware of the content of the Review and wait to see whether some or all of the recommendations are adopted by the Government.

Data Sharing

The Review makes the point that data sharing can be good (i.e. the online road tax notification system whereby VOSA, insurance companies and the DVLA work together to make the renewal of vehicle tax easier) or bad (i.e. the highly publicised loss of data by HM Revenue & Customs referred to above).

There is inherent conflict in data sharing; it may sometimes cause harm to share data, but in other circumstances harm can be caused if data is not shared. The Review comments that data sharing must be proportionate, transparent, shared with consent and that the organisation sharing must be held accountable. Organisations should consider whether it is appropriate to share data in the first instance and then consider how that data should be shared.

The Recommendations

The Review sets out 19 recommendations which are designed to achieve change in the way in which organisations deal with data sharing.

Key amongst these recommendations is the need to give the Information Commissioner's Office ("ICO") sufficiently robust powers and sanctions. The Review calls for robust powers and sanctions for the ICO, including stronger audit and inspection powers. It also calls for more funding for the ICO and advocates a multi-tiered systems to ensure that it receives what the Review terms a "significantly higher level of funding".

We would argue that the ICO's recommendations for businesses make good practical sense and that in so far as the recommendations are addressed to businesses, well managed businesses should already be part way towards compliance with the recommendations. However, the Review of itself has not changed anything and the ICO seems to have missed an ideal opportunity to recommend a complete overhaul of the Data Protection Act 1998 ("DPA").

The DPA comes under criticism from the business community for its imprecision and legal ambiguity. The Review addresses these weaknesses and admits that the consultation process leading up to the Review has;

"indicated unequivocally that the Data Protection Act does not, and maybe by itself cannot, provide a sufficiently practical framework for making decisions about whether and how to share personal data"

That being said, the Review fails to recommend how the DPA ought to be changed or how the tangled web could be simplified. Instead, the Review comments that change needs to flow from Europe and the UK Government and leaves it to government to take up this mantle. Given that changes to the EU directive are likely to be "some years away" (to quote the Review), it would seem that we will have to continue working with the DPA, such as it is, for quite some time to come.

Next Steps

The Review invites the Government to respond in 18 months time with a timetable for the implementation of the recommendations and a progress report. For now therefore, it's a case of "Watch this space" to see whether the Government picks up the IC's gauntlet and implements some or all of the 19 recommendations which are set out in the Review. We will issue updates on our website as and when it becomes clear how the Government is going to respond to the issues raised in the Review.

In the meantime, we have summarised the recommendations made in the Review:

1. organisations should clarify in their corporate governance arrangements where ownership and accountability lie for the handling of personal information.

2. companies should review their systems of internal controls in relation to the use of personal data on at least an annual basis. The companies' shareholders should be notified when this has taken place.

3. the IC advocates increased transparency about companies' data-sharing activities. A number of steps are recommended but we have picked four of the most key below:

public bodies should publish and maintain details of their data-sharing practices and schemes.

organisations should publish lists of those businesses with whom they share or sell personal information (this includes so-called "selected third parties").

Clear language should be used on the opt-in or out boxes where individuals are asked to share their personal information.

Organisations should make it possible for individuals to be able to inspect, correct and update the information that is held about them

4. all organisations which routinely use and share personal information should review and enhance the training they give to their staff as to how they should handle that information.

5. organisations should use authenticating credentials wherever possible in order to avoid collecting unnecessary personal information. For example, to see an 18 film, it is only necessary to provide proof of age and it should not be necessary to collect names and addresses.

6. the UK government should assume a leadership role in promoting the reform of European data law.

7. (a & b) the ICO should be under a statutory duty to publish a data-sharing code of practice and context-specific guidance to support the code.

8. (a & b) a new statutory fast track procedure ought to be created to remove or modify legal existing barriers to data sharing. The IC ought to be involved in the process.

9. the IC should be able to impose the same sanctions as the Financial Services Authority. This would include fines related to turnover.

10. the Government should bring the new fine provisions fully into force within six months of Royal Assent of the Criminal Justice & Immigration Act, that is, by 8 November 2008.

11. in cases where substantial damage or distress is likely, organisations should notify the IC when a significant data breach occurs. Failure to notify would be taken into account when deciding what penalties are appropriate (if any) for the data breach.

12. the IC should have a statutory right to gain entry to premises to carry out an inspection and the organisation should have a duty to cooperate and supply any necessary information.

13. the ICO states that it needs more funding as a matter of urgency. It therefore recommends increasing the notification fee through the introduction of a multi-tiered system. The Review claims that the new system would reflect more fairly the cost to the regulator of differently sized organizations. Given that the ICO anticipates this change would lead to a revenue increase of £6 million per annum, it seems likely the fees will increase a fair amount for larger organisations.

14. The IC should have a supporting executive team rather than a single officer. This would reinforce the status of the IC as a corporate body.

15. the report asks government to bring forward new legislation as soon as possible to develop so-called "safe havens". These safe havens would be used as an environment for population-based research and statistical analysis in which the risk of identifying individuals is minimised. Researchers working in these safe havens would be bound by a strict code, preventing the disclosure of any personally identifying information and providing criminal sanctions in case of breach of confidentiality.

16. government departments and others wishing to develop, share and hold data for research and statistical purposes should work with academics to set up safe havens.

17. the NHS should develop a system to allow approved researchers to work with healthcare providers to identify potential patients, who may then be approached to take part in clinical studies for which consent is needed.

18. the Government should commission an enquiry into online services that aggregate personal information.

19. the Government should remove the provision allowing the sale of the edited electoral register. The ICO regards the sale of personal information as "an unsatisfactory way for local authorities to treat personal information".

Ashfords is regulated by the Solicitors Regulatory Authority. The information in this article is intended to be general information about English law only and not comprehensive. It is not to be relied upon as legal advice nor as an alternative to taking professional advice relating to specific circumstances.

16th July 2008

Key Contacts

Data Sharing Review Update

Introduction