I suspect the Government is going to ditch the Law Commission recommendations on data sharing; this is because it wants a quick implementation of its own extensive data sharing proposals. In short, general data sharing powers are now on the political agenda again.
This is the third time in a decade that Government has tried to obtain data sharing powers that apply in circumstances unconnected with the usual suspects (e.g. data sharing in relation to crime, national security and law enforcement).
The Government tried in 2006 with the Identity Card Act to permit general public sector access to the Identity Card database in order to help deliver efficient and effective public services. This was followed with wide data sharing powers in the Coroners and Justice Bill in 2008; after considerable opposition in the House of Lords, these were replaced by the data sharing code of practice provisions (which we all love). Third time round has happened with these proposals.
The Government has learned that it needs to engage with its opponents. So for the last year, the Cabinet Office has been holding a number of public meetings with the objective of “exploring whether some of the barriers to sharing and linking different datasets in government can be removed in order to develop a better understanding of the economy and society, deliver more targeted and joined-up public services, and save public money lost through fraud, error and debt”.
In many cases, the Government insists that any data sharing occurs with the consent of the data subject. However, the documentation (28th July 2014; see references) also indicate that consent is not the only way for data sharing to occur.
This document states that the Government intend to take a general data sharing power which “…is intended to be used in situations where….”:
- “The objective could not be met without data sharing”
- “It is not realistic and practicable to use consent to achieve the intended outcome or use of consent would not meet the criteria of free and informed decision”, or
- "Analysis of anonymised data would not achieve the intended outcome”.
Although this is a discussion document, I think the chosen wording gives rise to several concerns. For instance, the data sharing power has not been described in terms such as being "necessary" in association with a pressing social need that has been identified. And what does “not realistic” mean in practice? Could these powers be used when so many data subjects refuse consent to the data sharing, that it would then become “realistic” to override these refusals?
In addition, who decides when it “is not realistic” to rely on data subject consent or what are the circumstances when anonymous analysis “would not achieve the intended outcome” (Does this extend to data sharing of health and social work records for instance?). As with the two previous data sharing initiatives the devil is in the detail.
It is no good, as the document does, in providing examples of “beneficial” data sharing. The problem is that when powers are enacted, they can be used into the future. As with the adage “puppies are not only for Xmas”, once these powers are available, they can be used indefinitely until repealed.
To be fair to the document, it does identify the problems when “very broad powers” are used but proffers no solution to this (unlike this blog – see below).
Are these safeguards?
The 28th July documentation claims says that the privacy safeguards against excessive data sharing include: "The Data Protection Act 1998; Law of Confidentiality; Article 8 of the European Convention on Human Rights and EU legislation on data sharing". I will now show when these legal safeguards are unlikely to apply.
For instance, with respect to the common law of confidence, it is well known that one can always set aside a confidentiality obligation if there is a statutory requirement to disclose such confidential personal data. So as soon as Ministers exercise their data sharing powers to demand disclosure: “good bye” common law of confidence.
It is also well known that the Human Rights Act is under threat of abolition by the Conservative Ministers who are currently driving the data sharing agenda. So if a Conservative Government is returned after the next Election, we don’t know the nature of the A.8 replacement. As for Europe – we might leave following an in-out referendum! In both cases, the safeguards on offer are uncertain.
With respect to Data Protection Act (DPA), I have often argued that once statutory powers are applied to a disclosure, then the disclosure is almost invariably “lawful” and the disclosure itself can be subject to the exemption from the non-disclosure provisions (S.35(1)). This exemption can exclude several data protection principles (Fairness, Second to Fifth Principles) and the rights that could block disclosure.
The Third Principle can be neutered if broad purposes are defined in data sharing legislation. For example, if a controller says "personal data item X is relevant to a housing benefit purpose", the claim can objectively be tested: “is the data item relevant or not relevant to the housing benefit purpose?”.
However, this test is substantially diminished if the purpose is broadly defined as in "the purpose of the efficient delivery of public services"; it can be seen that many items of personal data could satisfy this requirement.
In summary, when a purpose is narrowly defined, the more precise the relevance test of the Third Principle becomes, and the more protection there is from the DPA. The converse is also true; the broader the purpose description, the less precise is the relevance test and the poorer the protection afforded by the DPA. The same argument applies to the retention criteria of the Fifth Principle as it, like the Third, the level of protection is linked to "the purpose" of the processing.
In summary, there will be not much data protection on offer when statutory data sharing powers are exercised.
Missing safeguards
Some of these are listed below; they are very easy to identify if, unlike the document, one asks the simple question “what could go wrong?”.
Whenever data subject consent is impracticable, then there has to be a right for any data subject to object to any further data sharing, at any time, without providing a reason. In fact, transparency arrangements should offer an “opt-out”. Exceptions to this right to object can be catered for as they can easily be identified (e.g. to permit data sharing in relation to fraud).
At the moment, there is no right to object that would apply to non-consensual data sharing and it is important to understand that the current right to object to the processing under the DPA (S.10) won’t apply.
As soon as statutory powers for data sharing are exercised any data sharing required by law would be legitimate in terms of paragraph 3 of Schedule 2, whereas the current "right to object" in the DPA only applies when paragraph 5 and 6 applies to the data sharing. In addition, the data subject has to show that data sharing would cause or likely to cause “unwarranted” and “substantial” damage or distress; this is a high barrier to the exercise of this right.
The second safeguard, I suspect, is needed when personal data are used for data matching and/or profiling; the Information Commissioner should be tasked to produce a statutory code of practice if data sharing involves these two.
Thirdly, there needs to be a counter-balance to the exercise of Ministerial powers by Statutory Instrument (SI) as Parliament hardly ever rejects the use of powers granted to Ministers (even when the SI is subject to debate in a Select Committee). The Information Commissioner should be given the explicit right to apply to a Court on the grounds that the processing of personal data is disproportionate in terms of Article 8 of the Human Rights Act. This raises the prospect of the power being declared unlawful and the SI being struck out.
In other words, there needs to be an easy-to-use, free of charge, mechanism whereby data subjects could gain access to the Courts in order to test the lawful basis of the data sharing; allowing the Commissioner to enforce unlawful processing in terms of Article 8 is one example of such a mechanism.
The documentation is silent on the issue of redress for a data subject who has been damaged by non-consensual disclosures; one suspects that the aggrieved data subject is supposed to take a compensation claim through the Courts. This redress thus only applies in the most damaging of circumstances.
You could easily have the Information Commissioner (or some Ombudsman) recommending compensation if there is detriment to the data subject caused by the data sharing. This could, for example, arise if a data subject is denied a benefit on the grounds of sharing inaccurate personal data.
Sadly, there is currently no indication that data sharing, once commenced, will cease. For instance, in my view, if data sharing powers are used in non-law enforcement circumstances, there must be a document which explains the benefits achieved by data sharing in quantifiable terms. By implication, if the stated objectives are not realised, then data sharing should cease.
Instead the document suggests periodic reviews so that improvements can be identified (i.e. so that data sharing continue), or the existence of oversight by Parliamentary Committees that can make recommendations. Both these are window-dressing as once powers are enacted, data sharing continues and recommendations are just that (something that can be ignored).
Another way of achieving this cessation of processing objective is to have a “sunset” clause on each data sharing initiative. This would require data sharing powers to be renewed under an independent process, and enables an effective cost-benefit analysis on the basis of past performance, before data sharing powers are renewed.
As I said, these simple protections are missing and I have yet to identify any effective privacy protection to prevent excessive data sharing or redress if data sharing goes pear shaped.
Concluding comments
The Government’s timetable is tight. A White Paper is expected by Christmas and a period of public consultation ending in March. This means that there will be a Civil Service briefing pre-prepared for an incoming government after the next General Election. Such a timetable excludes the considered approach suggested by the Law Commission.
With all political parties promising considerable deficit reduction targets (albeit different ones), then one suspects that all the Civil Servants need do is to hint at unquantifiable but huge savings that arise from wide data sharing (just as they did on 2006 and 2008). It is therefore more likely that these proposals will be implemented; for the Government, I suspect, it is a case of third time lucky.
Just to be clear. I am not against data sharing; I am against data sharing that leaves the data subject exposed with no easy means of redress.
References
Data sharing paper from Cabinet Office (dated 28th July 2014) on https://docs.google.com/document/d/1g6kpiRUpgECnR2IXCuP0O1_VmuMMBgbD-oCmQI4wHVE/edit?usp=sharing
Law Commission on Data sharing: http://lawcommission.justice.gov.uk/areas/data-sharing.htm
Meeting with Francis Maud: http://datasharing.org.uk/2014/10/06/plenary-workshop-with-francis-maude-22-oct-2014-meeting-invitation/
I absolutely agree with your concerns. The Government seems to generate tight timetables (as with DRIP) for most issues relating to data protection or privacy.
Puppies are not only for Xmas. They grow into big dogs, often with big teeth, and then we have to trust the owners to ensure their powers are used sensibly.
Posted by: Tim Musson | 10/10/2014 at 05:14 PM