I hate the phrase “data sharing” because “sharing” usually carries a consensual connotation. One shares sensitive detail with close friends and family; one does not “share” such details with tax officials, VAT inspectors or police in the same way.
When public authorities say they are “data sharing” what they often mean is that they are making disclosures of personal data often without the consent or knowledge of the data subject. I also sometimes think that the use of “share” masks what actually is happening: “share" and "care” rhyme and often go together. However, this blog raises an example where “share” and “nightmare” is the more appropriate coupling!
In January this year, the Parliamentary Ombudsman, Ann Abraham criticised three government agencies for collectively failing to put things right when a data sharing mistake led to a woman’s personal and financial information being wrongfully disclosed to her former partner and her child support payments being reduced without her knowledge. I have to be honest, I missed this report – but better late than never.
The report, “A Breach of Confidence”, is the outcome of the Ombudsman’s investigation of Ms M’s complaint about HM Revenue & Customs, the Child Support Agency and the Department for Work and Pensions, and their handling of her personal information. The chain of events leading up to Ms M’s complaint to the Ombudsman dates back to 2006 when one of the government agencies involved incorrectly updated her records to show her living at her former partner’s address, although she had in fact never lived there.
After discovering her details had been changed, Ms M tried to find out why and sought an assurance they had been corrected. She was passed from one government agency to the next, each denying responsibility. She then took the matter to her MP who subsequently referred it to the Ombudsman.
The Ombudsman upheld Ms M’s complaint. In her report, the Ombudsman expresses her concern that:
- The network of computer systems used by HM Revenue & Customs, the Child Support Agency and the Department for Work and Pensions could make changes to Ms M’s personal data without her knowledge or consent yet an interrogation of that network cannot now locate the source of any errors.
- The agencies were unable to give Ms M the reassurance she sought about her personal information.
- Each of the agencies blamed another for the mistake and took the view that as the mistake had been made by ‘the system’, there was nothing they could do. None of press releasethe agencies involved accepted responsibility for what had happened to Ms M until the Ombudsman became involved.
The Ombudsman wryly commented that “While these government agencies have computer systems that are networked and communicated with one another, the agencies themselves clearly do not”.
When readers of the blog are talking to staff about the ICO’s Code of Practice on Data Sharing, it is sometimes an abstract affair. This report is an example of what can go wrong – big-time, and for that reason, it is an important document to read. Invaluable input if you are doing training courses.
References: The Ombudsman’s Report can be downloaded here Download Ombudsman data sharing. The ICO’s Code of Practice on data sharing can be downloaded here. Download Amber_d5_data_sharing_code_of_practice
Update
Next Update is October 17th 2011 in London. The guest speaker is Kuan Hon, from Queen Mary’s Cloud Computing Project; she will be speaking on "Every Cloud has a Data Protection Lining"; Rosemary Jay, from Hunton and Williams will be analysing the data protection fallout of the hacking affair. £195+VAT per place: full details on the Amberhawk main site (www.amberhawk.com). Sue Cullen and myself will be delivering updates on the usual "what's new" matters (e.g. enforcement, undertakings, FOI/DP interface and news roundup).
Comments
You can follow this conversation by subscribing to the comment feed for this post.