United Kingdom Parliament
HOME
ABOUT
MEMBERS & STAFF
BUSINESS
PUBLICATIONS
A-Z INDEX
GLOSSARY
CONTACT
Publications & records
Advanced search
 HansardArchivesResearchHOC PublicationsHOL PublicationsCommittees
You are here: Publications and Records > Select Committees > Human Rights > Human Rights

DP 3

 

 

 

 

 

 

Human rights, data protection and information sharing: background paper for the Joint Committee on Human Rights

 

 

 

 

1. The Information Commissioner has responsibility for promoting and enforcing the Data Protection Act 1998 (DPA) and the Freedom of Information Act 2000. He is independent from government and promotes access to official information and the protection of personal information. The Commissioner does this by providing guidance to individuals and organisations, solving problems where he can, and taking appropriate action where the law is broken. The comments in this evidence are primarily from the data protection perspective.

 

2. The Data Protection Act (DPA) applies to all organisations that handle information about people, in both the public and private sectors. Most public sector bodies are also 'public authorities' for the purposes of the Human Rights Act 1998 (HRA). This means that when public sector bodies, including governmental ones, collect, share or otherwise handle information about people, they have to do so in a way that's compatible with the right to respect for private and family life - Article 8 of the European Convention on Human Rights (ECHR). However, the DPA should help public authorities to comply with their duty under Article 8, because the European Data Protection Directive, which the DPA gives effect to in the UK, and the HRA both have their origins in the Council of Europe's European Convention on Human Rights.

 

3. Article 8 doesn't prohibit the collection or sharing of information about people. However, it does mean that if this is going to happen, then certain safeguards for individuals have to be put in place. The duty to have respect for private and family life is a very high-level one. Neither the HRA not the ECHR itself provide any practical guidance to help public authorities to act in a way that ensures that the individual's right to private life is respected. However, the DPA does do this.

 

4. The DPA is built around a set of principles of good practice for the handling of personal information, some of which are particularly relevant in the context of information-sharing. For example, the principles require that any sharing of personal information is necessary and that any information shared is relevant, not excessive and is kept securely. The principles provide a practical framework for balancing the need for public authorities to make best use of the personal details they hold whilst respecting individuals' private lives.

 

5. The unnecessary or disproportionate sharing of personal information can undoubtedly have a significant negative impact on individuals. The public sector, in particular, holds some of the most personal details about people; health records, tax returns, police records, adoption papers and so forth. People do care about their personal details, particularly the more sensitive sorts of information. For example, tracking research carried out by ICO last year showed that 92% of people were concerned about the protection of their personal details - only concerns about preventing crime rank higher. In particular, the research shows high levels of public concern over the potential mismanagement of information. The highest-ranking concern is about passing or selling personal details onto other organisations. This means that if organisations handling personal information want to command public trust, they must do so in a way that is proportionate, secure, transparent and reasonable. Complying with the data protection principles will ensure that this is the case.

 

 

6. It is wrong to see the sharing of personal information as necessarily a bad thing, one that can necessarily be opposed on data protection or human rights grounds. Indeed one of the problems in the early stages of the information sharing debate was that some put forward the simplistic view that sharing more information would necessarily make things better, others the equally simplistic view that it would necessarily make things worse. However, the debate has matured and moved on. The issue now isn't whether there should be more or less information sharing, but rather what information is being shared, why it's being shared, who has access to it and what the effect of this is.

 

7. There is no doubt that the intelligent use and analysis of personal information can bring all sorts of benefits to society and individuals. For example, the DWP's 'Tell us Once' project should make it a lot easier for citizens to update their details for official purposes, for example when they move house. Many local authorities are doing similar work to make it easier for people to access their services without having to provide the same details over and over again to the authority's various departments. Most people wouldn't object to that, indeed they'd probably expect public bodies to share personal information where this is necessary to make it easier to access public services.

 

8. In crime prevention contexts the matching of data held by different organisations can reveal discrepancies that, on further investigation, may reveal, for example, that the same person is fraudulently claiming housing benefit from two neighbouring local authorities. There is no doubt that data matching techniques of this sort can contribute significantly to the detection of wrongdoing and to the protection of the public purse. It would be wrong to deny society the benefits that information sharing can bring in contexts such as this.

 

9. However, the benefits do need to be weighed against the privacy risk that can accompany the wider sharing of personal information and any initiative needs to be clearly justified with safeguards to minimise risk in place before information sharing takes place. The precise mechanisms will depend upon the nature of the personal information. In some instances it may be appropriate to include specific safeguards as part of legislation which facilitates information sharing by limiting the purposes for which personal information may be used, restricting the amount of personal information collected and shared and specifying restrictions on disclosure with sanctions for misuse.

 

10. In this connection the Commissioner has asked for additional powers for his office, in particular the power to inspect the processing of personal data without a data controller's consent. In response to the recent HMRC security breach the Government has agreed that he should have this power at least in relation to processing by Government departments. Provided he receives sufficient funding the ICO's involvement in inspection should help provide reassurance to the public that their information will be handled safely and securely.

 

11. The Commissioner has previously called for data protection considerations to be considered at an early stage in a new initiative to gauge whether what is envisaged is appropriate and what safeguards may need to put in place if the initiative is to proceed. This could involve a formal requirement to seek his views on initiatives which are likely to raise substantial privacy concerns.

 

12. The Commissioner has done much work in the past year allied to concerns about a developing surveillance society. His recent efforts have been concentrated on developing practical tools to help safeguard against the unwanted effects of a surveillance society. He has recently launched a privacy impact assessment (PIA) handbook. PIAs are used to assess the wider privacy implications of a development in its early stages to ensure that privacy concerns are systematically identified and addressed. These are common in North America and Australasia. For example, the US E-Government Act requires all proposed new uses of personal information, including information sharing, to under go a PIA. The PIA approach is new to the UK and goes wider than just addressing data protection compliance concerns by also engaging with human rights considerations.

 

 

13. The use of PIAs should help ensure that privacy safeguards are built in to new initiatives, not 'bolted on' later as an expensive and inadequate afterthought. To assist with the development of a handbook and to learn form best practice, he also commissioned a study on the use of PIAs in other countries.

 

14. A further approach that can also help ensure appropriate privacy protection is by the use of what have become known as privacy enhancing technologies. This involves adopting technological solutions to help maximise privacy protection or as the Royal Academy of Engineering put it in their recent report on the Surveillance Society this is exploiting engineering ingenuity to protect personal privacy. The Commissioner has long been an advocate of their use and will be embarking on further work during the forthcoming year to promote their wider use.

 

 

15. In the specific area of information sharing the Commissioner has recently published a Framework Code of Practice for Sharing Personal Information. This sets out a comprehensive, practical set of safeguards that can be put in place to minimise any impact on personal privacy that information sharing may have and, more in a more general sense, to ensure individuals' human rights are respected. Copies of the PIA handbook, international study and framework code of practice will be provided to the Joint Committee.

 

16. The Commissioner is himself a public authority for the purposes of the HRA. This means he must himself act, and must interpret the legislation he is responsible for enforcing, in a manner compatible with the EHCR. It is fair to say, therefore, that there is a mutually supportive interplay between human rights, data protection and the work of the Information Commissioner.

 

 

 

 

 

 

 

Richard Thomas

Information Commissioner

20 December 2007