In January, I published a blog on how the Scottish Government were consulting on plans to transform the current NHS Central Register (“NHSCR”) into a population register without much thought about the Data Protection Act (DPA). The ICO has just published a contribution to that consultation process that, when you strip away the diplomatic language, comes to a similar conclusion.
What I did not know at the time of writing the blog was that there was a flourishing “Entitlement Card” in Scotland; readers in the rest of the UK who can walk down memory lane on this subject will remember that this name was specifically chosen by David Blunkett in 2002 in his White Paper “Entitlement Cards and Identity Fraud”.
“Entitlement Card” was the euphemism used by the Blair Government in an attempt to avoid the more controversial term “Identity Card”. This public misrepresentation of the Card’s purpose failed of course; however a result of my January blog was to contribute to the ignition of a serious debate on ID Cards in Scotland (see references).
As with the ID Card Act back in 2006, Scottish Ministers have “poo-pooed” all the complainants for totally picking up the wrong end of the stick, making exaggerated claims, politicking and scaremongering. By contrast, opponents claim that an ID Card system is being introduced by the back-door, by administrative fiat, and with little debate.
However, there is one irony; Labour politicians in 2015 are criticising the SNP population register in similar terms as the SNP politicians criticised Labour’s ID Card database back in 2006. Clearly, a decade is a long time in politics.
Enter the Information Commissioner’s commentary
Assuming the ICO would probably contribute to the consultation process, I asked the ICO for a copy of his submission, which duly arrived just in time for some light weekend reading. This blog is a summary of the critical commentary; the full submission can be accessed below.
One of the criticisms the ICO makes (in several places) is that, in relation to processing purpose (e.g. disclosure of personal data from the revised NHSCR): “we wish to draw attention to a concern that neither the current Regulations nor the proposed amendments specify explicitly the purposes for disclosure taking place”. This in fact is recognition that the NHSCR project is being developed using wide-ranging powers that permit disclosure for any future (unspecified) purpose.
The First Data Protection Principle requires the purpose of the processing (e.g. purpose of any disclosure) to be identified to ensure the processing is fair to each and every data subject; usually this purpose is identified in a Fair Processing Notice given to the data subject prior to any processing.
To assist this, the ICO therefore “recommends that the Regulations are amended to add a column to the Schedule 2 table (these Regulations are published in the Appendix to the NHSCR consultation document), specifying the purposes for which the various disclosures may be made”.
These comments can be roughly translated as: “Please fetter the powers to disclose for any purpose and identify the disclosure purpose if you intend other bodies to gain access to the population register”.
In the blog, I also made the comment that a Privacy Impact Assessment was absent. The ICO agrees and states:
“Furthermore, prior to agreeing the Regulations, a Privacy Impact Assessment (PIA) should be undertaken for any of the above elements which have not yet been subject to a PIA. These PIAs should draw upon the responses to the consultation and any existing PIA should be reviewed in the light of the responses”.
I also made the observation that compliance with Article 8 of the Human Rights Act needs to be demonstrated (as any processing of personal data without consent has to be necessary, proportionate and for a pressing social need). This is reflected by the ICO’s commentary in the context of populating the NHSCR:
“The proposal to use the CHIP to populate the NHSCR with up to date addresses would be a shift away from the current consensual model and the ICO has concerns as to whether there is a sufficient public interest justification to meet the ‘necessity test’ to enable reliance on any of the other conditions contained in the DPA that are required to be met for the processing to be compliant”.
Roughly translated this means that it is not clear which DPA Schedule 2 ground would legitimise the collection of personal data on the NHSCR as all the Schedule 2 grounds except for consent require the processing to be “necessary” for something. That is why the ICO adds: “This is an area that would certainly benefit from the more detailed analysis of a PIA”.
The ICO draws attention to one of the identified purposes of the scheme; namely to “assist with the tracing of certain persons (e.g. children missing within the education system and foreign individuals who may not have settled outstanding accounts before leaving the country)”.
The ICO is clearly unconvinced about this justification as the DPA is not contravened if such tracing were to occur now (i.e. without the population register) as he comments:
“The Registrar General already has the power from the current Regulations to disclose information to charities and solicitors to assist them in tracing missing persons”.
“With regard to the recovery of NHS costs, the DPA already recognises the need for effective and efficient use of public funds with its exemption at section 29 in relation to Crime and Taxation”.
“This proposed amendment would remove any legislative bar for the Registrar General to share information with UK Visas & Immigration in an attempt to locate those owing the public purse following health treatment. However, it is unclear how such sharing might result in cost recovery if the individual is no longer in the UK and a foreign address is not held here”.
He concludes by repeating his PIA point that:
“…we strongly recommend that the Regulations are amended so as to specify and limit the purposes of sharing clearly within the legislation” and that “Prior to the implementation of these proposals, and as indicated above, full PIAs drawing upon the responses to this consultation should be undertaken”.
In my blog, I stated that the Scottish model for identity assurance, linked to a central register, was not adopted by the Cabinet Office for the rest of the UK and that this divergence in approach needed an explanation.
The ICO says the same thing in a different way:
“In assuring a privacy friendly approach, the ICO would highlight the work we have done with the UK Cabinet Office on the GOV.UK Verify service, which works on a federated basis. Whilst not extolling this as the best approach, it is an example of a privacy-by-design approach to ID management in the public sector from which undoubtedly lessons could be learned”.
However, the most critical comment relates to “the concerns reported recently in the media in respect of the proposals in that they will effectively turn the UCRN into a national identity number”.
He then adds: “If we are to have a national identity number this should be the subject of proper debate and be accompanied by suitable safeguards. It should not just happen by default”.
And so say all of us!
Original blog on the NHSCR proposals: http://amberhawk.typepad.com/amberhawk/2015/01/proposals-to-expand-central-nhs-register-creates-a-national-population-register-and-significant-data.html
Summary of much the Scottish debate on the ID Card in the media: http://www.jwelford.demon.co.uk/snecnews9.html
Download the ICO response to the NHSCR consultation: Download NHS Central Register - ICO Response Feb 2015