Appendix
Letter from Michael Wills MP, Minister of State, Ministry of Justice dated 23 May 2008
I am writing to respond to the Committee's conclusions and recommendations in the above report. The Government thanks the Committee for its report on Data Protection and Human Rights. I have adopted the Committee's numbering as in the summary at page 21 of the report.
1. Government must show that any proposal for data sharing is both justifiable and proportionate, and that appropriate safeguards are in place to ensure that personal data is not disclosed arbitrarily but only in circumstances where it is proportionate to do so. (Paragraph 14)
The Government takes data protection and human rights seriously and agrees that data sharing should be justifiable, proportionate and only undertaken when proper safeguards are in place. Sharing information within government can promote the well being of society and help deliver public services more efficiently. Such information sharing can deliver significant benefits for the citizen, from protecting society as a whole from harm to facilitating the delivery of more efficient and tailored public services. Information sharing and proper respect for an individual's right to private life are compatible. We agree that there is a need to ensure that data sharing is proportionate.
It was for this reason, in October 2007, that the Prime Minister set up the independent review chaired by Dr Mark Walport of the Wellcome Trust and the Information Commissioner, Richard Thomas, to look at how personal information is used and protected in both the public and private sector.
2. Where there is a demonstrable need to legislate to permit data sharing between public sector bodies, or between public and private sector bodies, the Government's intentions should be set out clearly in primary legislation. This would enable Parliament to scrutinise the government's proposals more effectively and, bearing in mind that secondary legislation cannot usually be amended, would increase the opportunity for Parliament to hold the executive to account. (Paragraph 20)
3. Setting out the purposes of data sharing and the limitations on data sharing powers in primary legislation would give a clear indication to the staff utilising such powers of the significance of data protection. (Paragraph 21)
Data protection safeguards are enshrined in the Data Protection Act 1998. Where it is necessary to legislate in order to empower bodies to share data, the exercise of those powers will usually be governed by the provisions of the Data Protection Act and the Human Rights Act. In many cases it is therefore unnecessary to duplicate those safeguards in the data sharing provisions of the enabling legislation.
Whether those data sharing provisions are best set out in primary or secondary legislation will depend on the context of the legislation and the data sharing involved. Primary legislation will not always be the best vehicle to be used. For example where comprehensive lists of types of information, organisations or specific cases which may require amendment are set out in the legislation. Using secondary legislation in these cases allows for flexibility, particularly where future reviews and changes to such lists are likely, and in response to operational requirements, as it can more easily be amended than primary legislation.
The Government notes the Committee's view that the outlining of data sharing in primary legislation allows greater opportunity for scrutiny
Detailing the purposes and limitations on powers in primary legislation would not necessarily increase the significance to those responsible for sharing data, nor necessarily instill a culture of respect. The efficient use of codes of practice may provide a more pragmatic and effective approach in the form of practical and detailed guidance to front line staff who manage and handle information than can be offered solely in the form of provisions set out in primary legislation.
4. We recommend that the role of data protection minister should be enhanced. In addition to overseeing the data protection legislation, the data protection minister should have a high-profile role within Government, championing best practice in data protection and ensuring that lessons are learnt from breaches of data protection. (Paragraph 26)
In my oral evidence to the Committee I outlined my responsibilities in relation to data protection. The Ministry of Justice is responsible for the construction and maintenance of the Data Protection Act.
Management of information is part and parcel of the delivery of public services. Individual Departments and their agencies are best placed to manage their own key framework and information because they understand best what information they hold and how best to deliver the services for which they are responsible.
They exercise that responsibility within a co-ordinated framework of:
the Data Protection Act 1998; Human Rights Act and the Freedom of Information Act 2000, for which the Ministry of Justice is responsible;
a strategic information assurance and security framework defined by Cabinet Office, which houses the Government's Central Sponsor for Information Assurance (CSIA); and
corporate governance and accountability requirements, promulgated by HM Treasury.
As the Committee has stated, there should be inter-departmental co-ordination to share best practice and help deal with the fall-out from significant breaches of data protection. The Government agrees with this and I refer you to the Cabinet Office Interim Progress Report: Data Handling Procedures in Government[1], published in December 2007. Paragraphs 7 to 12 of the report outline exactly how Government has, and does, strive to protect information in a co-ordinated way.
The final Cabinet Office report, due in Spring 2008, will seek to consolidate this joint approach to protect Government data, and define how Ministerial overview of progress will be provided.
6. Recent breaches in data protection appear mostly to have resulted from human error and procedural lapses rather than technological problems. However, it would be wrong to see these errors and lapses as unfortunate "one-off" events. In our view they are symptomatic of the Government's persistent failure to take data protection safeguards sufficiently seriously by defining data sharing powers more tightly in primary legislation and including detailed safeguards against arbitrary or unjustified disclosure. The rapid increase in the amount of data sharing has not been accompanied by a sufficiently strong commitment to the need for safeguards. The fundamental problem is a cultural one: there is insufficient respect for the right to respect for personal data in the public sector. (Paragraph 27)
7. We are surprised, and disappointed, to find that senior public officials need to be reminded of the main principles of the Data Protection Act. (Paragraph 28)
Defining powers and safeguards in primary legislation would not necessarily lead to increased levels of respect for personal data. The Committee is certainly right to highlight the issues of culture and respect, and I made the same points when I appeared before the Committee last year. High levels of data security must be underpinned by a culture that values, protects and uses information. This culture is important when services are being planned and when they are being delivered.
Government is embarking on a sustained and determined effort to ensure that the right culture is in place. This will have to be led from the top of Departments, but will cover all those involved in the management of and access to personal data. All Departments must have strategies to nurture the right culture.
Government will always regard any data loss as a cause for concern. Where problems do occur the culture has to be one in which they are identified and learned from.
The Committee has stated its surprise and disappointment that senior officials need to be reminded of the main principles of the Data Protection Act. Staff at all levels of departments were reminded of their responsibilities under the Data Protection Act as part of the Cabinet Office review of "Data Handling Procedures in Government". This is part of a continuing process to deliver the cultural change that both we and the Committee believe is necessary. Such cultural change depends, among other things, on continuing to remind all staff of procedures. The Review instigated a re-examination of all areas where sensitive data is stored to ensure that proper processes are in place to protect personal data.
8. It is clear to us from a great deal of our work, and in particular recently our inquiries into human rights of older people in healthcare and adults with learning disabilities, as well as from this inquiry, that human rights are far from being a mainstream consideration in Government departments. The Minister has identified the cultural barrier to ensuring that personal data is adequately protected by the staff who handle it, but much more needs to be done to tackle this problem successfully. We have so far seen no evidence that the human rights champions in departments have made any impact, particularly in relation to front line staff. We will continue to scrutinise their work carefully. (Paragraph 34)
While acknowledging that more can and should be done to mainstream human rights amongst public authorities, and while respecting the Committee's views, the Government disagrees with the Committee's conclusion that "there is no evidence that the human rights champions in Departments have made any impact, particularly in relation to front line staff". Senior human rights champions across Departments regularly meet to discuss current human rights initiatives as well as tackling ways to improve information on human rights amongst public authorities. One such initiative, recently rolled out to Government Departments, is the access to a free online awareness course on human rights sponsored by the National School of Government and the Ministry of Justice. The National School of Government monitors the completion of the package by users. Departmental human rights practitioners, the next level in the human rights champions network, closely liaise with each other and the Ministry of Justice in order to raise awareness amongst policy officials to consider human rights implications when working on new and current policies. The evidence of the success of the human rights champions network is not easily measurable since public scrutiny and the media are usually focused (and rightly so) on the rare occasions when things go wrong rather than when Government policies are human rights compliant, which is the vast majority of cases. The test should not be on the basis of a month-by-month assessment but rather by regular long-term assessments of whether and how the necessary cultural change is taking place. We intend to carry out such long-term assessment.
We would also like to remind the Committee that the Government successfully carried out the human rights programme giving effect to the recommendations of the July 2006 Review of the Implementation of the Human Rights Act [2]. The programme focused on various areas including improved guidance on human rights (with specific guidance for public authorities including front line staff), further human rights training for legal advisers to Departments, and the establishment of human rights "action plans" by individual Departments. The evaluation of the programme conducted by the Ministry of Justice Assurance Team found that the programme had delivered all of its main objectives as defined in the programme definition document. A copy of the evaluation report was sent to the Committee on 1 November 2007.
The Committee may also wish to note that the wide distribution of the Ministry of Justice human rights guidance (Human Rights: Human Lives handbook[3] and the summary booklet and DVD) amongst Government Departments and their sponsored bodies focused on a range of sectors: health, local Government, education and the Criminal Justice System. In addition, the Department of Health currently has a human rights work programme with the overall aim of championing human rights in health and social care. The programme includes development and policy work within the Department of Health itself and externally facing work to support NHS Trusts to develop and apply human rights based approaches in their work. Phase I of the Human Rights in Healthcare project focused on the production of the framework Human Rights in Healthcare - A Framework for Local Action[4] to assist NHS Trusts to develop and use a human rights based approach to support their core business of planning and delivering high quality and accessible health services for all. Phase 2 will involve further development of the framework into a "road tested" version with a more developed business case and indicators. This phase will also devise a range of linked strategic tools that meet the needs identified by NHS trusts to work within the framework and to provide a greater evidence base of the impact of using a human rights based approach in supporting trusts objectives.
The human rights programme has provided a solid foundation for mainstreaming human rights into policy and service delivery. The Ministry of Justice will continue to monitor the implementation of Departments' Action Plans and cross-Government human rights initiatives to sustain these efforts.
In relation to data protection, recent months have seen a wide range of activity taking place across Departments and in delivery bodies reporting to them. All Departments have started a broader process of culture change, for example working with staff to ensure that sensitive data is handled responsibly and securely. Much of the work will require ongoing and sustained attention. Sir Gus O'Donnell wrote to all Permanent Secretaries on 6 March 2008 attaching mandatory standards for data handling, and including measures to foster a culture of respect for personal data throughout Government.
9. We await the outcomes of the various reviews of data protection with interest. We expect the Government to keep us informed about its proposals for reform in this area. We recommend that, in its responses to the reviews, the Government should acknowledge the close connection between data protection and human rights; and explain how it proposes to ensure that a culture of respect for personal data is fostered throughout Government. (Paragraph 35)
The reports from the various reviews will help the Government to take a considered view of the range of measures necessary to strengthen the protection of personal data.
It is clear that more can be done to improve trust and confidence about the arrangements in place to protect information in Government. Transparency is a powerful tool in this respect. Departments will cover information assurance issues in their annual reports.
We will ensure that recommendations of the reviews are used to strengthen the security of personal information.
We will keep the Committee informed, as they request.
10. We see the Information Commissioner as an important defender of human rights in relation to data protection and freedom of information. His office should be regarded as an important part of the national human rights machinery. We support proposals to enhance the Commissioner's powers and the resources at his disposal to ensure that he can discharge his responsibilities more effectively. (Paragraph 39)
We agree with the Committee's comments about the important role played by the Information Commissioner and his office.
We believe it is essential that the Information Commissioner has the powers to effectively encourage and compel compliance with the Data Protection Act. This was reflected in the Prime Minister's invitation to the Information Commissioner in late 2007 to conduct spot checks on Central Government Department's compliance with the Data Protection Act. This does not involve any legislative change. These spot checks will begin over the coming months.
The Data Protection Act has recently been amended to confer, on the Information Commissioner, a power to impose a monetary penalty on a data controller where the ICO is satisfied that the data controller has committed a serious contravention of the data protection principles.
The Information Commissioner's powers are also being considered by the Thomas/Walport review. The review will make recommendations on the powers and sanctions available to the regulator and courts. A report is expected in mid 2008. The Government will take a considered view on what measures to take to strengthen the Information Commissioner's powers in light of these and the recommendations of the Cabinet Office review.
The Commissioner's data protection work is funded by notification fees paid by data controllers under section 26 of the Data Protection Act which his office retains with the agreement of HM Treasury. In 2006-07 this was £10,200,000. Government is currently considering the Commissioner's case for increased resources, including the recommendation of the House of Common's Justice Committee report 'Protection of Private Data' (January 2008)[5] that a graduated fee scale be introduced to replace the current flat fee that applies to all data controllers.
11. We support initiatives to ensure that data protection issues are dealt with at an early stage in the planning of Government projects, including legislative proposals. We intend to scrutinise how privacy impact assessments are used in practice. (Paragraph 40)
The Information Commissioner has made a powerful case for Privacy Impact Assessments (PIAs) to be carried out at an early stage in the development of policy and service delivery. In December 2007, the Information Commissioner launched the PIA handbook[6] developed for the Information Commissioner by an international team of experts co-ordinated by the University of Loughborough.
The Government is looking at how best to introduce PIAs and working with the ICO on the best way to do this. The National Police Improvement Agency, for example, have started a PIA for the Police National Database (PND) closely following the Information Commissioner's handbook and working with staff from the Commissioner's office. It aims to complete the PIA for the first phase of the PND by the end of this year. The results will be published.
12. Recent breaches in data protection by Government departments do not encourage us to feel confident about the security of data collected as part of the National Identity Register project. We intend to take a close interest in the Government's detailed proposals for the National Identity Register as and when they emerge. (Paragraph 47)
The Home Office/Borders and Immigration Agency issued its consultative 'National Identity Scheme Delivery Plan 2008'[7] on 5 March 2008. The purpose of the consultation is to help Government to proceed with the implementation of the National identity Scheme including the introduction of identity cards linked to a National Identity Register (NIR). The delivery plan set out the proposed benefits of the scheme and how the security of data will be maintained. Para 20 of delivery plan states: 'In terms of security, the Government's goal for the National Identity Scheme is that it will provide the most secure basis for identity assurance of any system currently operating in the public or private sector. Its approach to the design of the Scheme aims to balance customer service, privacy, security and usability. In doing so, Government recognises the need to respond to public concerns about data security and it will use technology and other non technical safeguards to provide the highest levels of protection for an individual's personal data'.
13. We regret that it has taken the loss of personal data affecting 25 million people - a "train crash", in the words of the Information Commissioner - for the Government to take data protection seriously. Data protection is a human rights issue and should not be treated as a fringe concern, a matter for rarely consulted policy documents and procedures which are all too easily ignored. The recent data protection breaches have revealed the complacency of the Government's repeated refusal to accept our recommendations that more detailed limits and safeguards be included in Government bills which authorise the sharing of personal data. The problem is symptomatic of a deeper problem to which we have drawn attention in recent reports and on which we recently commented in our annual Report on our work for 2007: the failure to root human rights in the mainstream of departmental decision making. (Paragraph 49)
We take data protection seriously and had already established the Thomas/Walport Review prior to the HMRC data loss incident.
We are committed to ensuring information sharing is undertaken in a transparent and controlled manner with legal and process controls in place to ensure that information is shared appropriately and proportionately. Personal data must be protected in line with the data protection principles enshrined in the Data Protection Act and information sharing can only take place when not incompatible with the purpose for which it was obtained.
Because no information handling system provides total protection, performance needs to be monitored and lessons learned. The Government is putting in place mechanisms to ensure that both are done.
The handling and protection of data is a global concern and both the public and private sectors have been faced with tackling information security breaches. Sharing data is essential and commonplace as our society becomes more interconnected. The Government is clear that it must constantly reassess its mechanisms for protecting information in this rapidly changing technological and globalised world.
For the reasons already stated in the response to point 8 of the Committee's Report, the Government respectfully disagrees with the Committee's conclusion about the alleged Government's "failure to root human rights in the mainstream of departmental decision making". I would also like to refer the Committee to my letter of 11 April 2008 with the Government's response to the Committee's Sixth Report on "The Work of the Committee in 2007 and the State of Human Rights in the UK".
14. We note that the Government has launched a number of reviews of data protection legislation and practice. Once those reviews have been completed, we expect the Government to take action to foster a positive culture for the protection of personal data by public sector bodies. This will enable the Government to reap the benefits of data sharing, where it is considered desirable, without calling into question the right of ordinary people for respect for their personal lives.
We are taking action now to foster a positive culture which values and protects personal data and we will continue to do so. In addition, and as the Committee has anticipated, the Government will take a considered view on what further measures we need to take to strengthen the protection for personal data in light of the recommendations of the Thomas/Walport, Poynter and Cabinet Office reviews.
1 http://www.cabinetoffice.gov.uk/reports/~/media/assets/www.cabinetoffice.gov.uk/publications/reports/data/data_handling%20pdf.ashx
Back
2 http://www.dca.gov.uk/peoples-rights/human-rights/pdf/full_review.pdf Back
3 http://www.dca.gov.uk/peoples-rights/human-rights/pdf/hr-handbook-public-authorities.pdf Back
4 http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_073473?IdcService=GET_FILE&dID=137175&Rendition=Web Back
5 http://www.publications.parliament.uk/pa/cm200708/cmselect/cmjust/154/154.pdf Back
6 http://www.ico.gov.uk/upload/documents/pia_handbook_html/html/foreword.html Back
7 http://www.ips.gov.uk/identity/downloads/national-identity-scheme-delivery-2008.pdf Back
| 
