Information Sharing to improve better outcomes for children and young people: a perspective from the

1
Information Sharing to improve better outcomes
for children and young people a perspective from
the Information Commissioners Office

• Thursday 27 April 2006
• Louisa Stillwell
• Senior Guidance Promotion Manager
• Information Commissioners Office

2
Outline for today

• Who we are
• What we do
• Data Protection Act 1998
• Data Protection Principles
• Information Sharing
• Current projects the ICO view
• Information Sharing good practice
• Information Sharing - risks

3
Who we are

• The Information Commissioner is an independent
  authority appointed by the Queen to oversee the
  Data Protection Act 1998 and the Freedom of
  Information Act 2000.

4
What we do

• Promote good practice
• Provide information
• Issue codes of practice
• Report on functions
• Maintain register of data controllers
• Consider requests for assessments under DPA
  decisions under FOIA and EIR

5
Data Protection Act 1998

• Background ECHR, 84 Act, Dir 95/46/EC, 98 Act
• Gives rights to individuals regarding information
  processed about them
• Places obligations on data controllers processing
  personal information
• Notification to ICO of processing

6
Data Protection Principles

• Data must be
• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept longer than necessary
• Processed in accordance with the individuals
  rights
• Secure
• Not transferred to countries outside of EEA
  unless they provide adequate protection

7
Information Sharing fairly and lawfully

• Fairness
• Awareness
• Expectation
• Lawfulness
• Conditions for processing
• Other relevant laws

8
Information Sharing fairly and lawfully

• Conditions for processing
• Personal data Schedule 2 condition
• Sensitive personal data Schedule 3 condition
• Most relevant?
• Schedule 2
• Consent
• Vital interests
• Functions conferred under enactment
• Functions of Minister of Crown or government
  department
• Schedule 3
• Explicit consent
• Vital interests
• Functions conferred under enactment
• Functions of Minister of Crown or government
  department
• Medical purposes

9
Information Sharing fairly and lawfully

• Lawfully continued.
• Complying with other relevant legislation
• E.g. Common Law Duty of Confidence
• Human Rights Act 1998
• Not acting ultra vires for a public authority
• Article 8 HRA98
• Right to private and family life
• Can be interfered with under certain conditions

10
Information Sharing - other considerations

• Specified purposes
• Disclosures must be in line with those purposes
  except where an exemption applies
• Adequate, relevant but not excessive
• Consider what needs to be shared to fulfil
  purpose and only share that information
• Security
• How will it be shared?
• Who with?
• Can further use of that information be checked?

11
Current Projects ICO view

• Transformational Government
• integral to transforming services
• ..but privacy rights and public trust must be
  maintained
• Cabinet Office Report Transformational
  Government
• Incorporate privacy from an early stage
• Use technology not only to improve services but
  to improve privacy
• Keep ICO involved

12
Current Projects ICO view

• Child Index
• Argued repeatedly that plans went beyond what was
  required by Laming recommendations
• ICO preferred Index about those at risk
• Easier to maintain in accordance with DPA
• Keeps focus on those with real problems
• Technically more viable
• However, decision taken and ICO have been
  advising on detail of how it will work, e.g.
  retention of information, access, etc

13
Current Projects ICO view

• Connecting for Health
• Close contact between ICO and CfH officials as
  plans have progressed
• Advice given on security and access
• HealthSpace

14
Current Projects ICO view

• Barring and vetting scheme
• Consultation response
• Would have preferred a scheme to register those
  able to work with children and vulnerable adults
• A degree of intrusion into privacy justified but
  must be proportionate under ECHR Art 8
• Continuation of enhanced disclosures
• Excessive information?

15
Information Sharing Good Practice

• Better use of personal information opportunities
  and risks (Council for Science and Technology-Nov
  05)
• Extensive public engagement
• Regulatory and governance frameworks to minimise
  risks
• Research into privacy enhancing technologies
• Federated databases rather than single

16
Information Sharing Good Practice

• Better use of personal information opportunities
  and risks (Council for Science and Technology-Nov
  05)
• Government must strike the right balance between
  promoting greater access to personal data and
  protecting the individualadopting the concept of
  citizens owning their own data and exercising
  control over how and when it is used

17
Information Sharing Risks of getting it wrong

• Surveillance Society risks
• Unacceptable volumes and detail of personal
  information, especially with major databases
• Inaccuracy, loss of accountability
• Lack of security (Blagging problems)
• Identity theft
• Building bigger haystacks
• Loss of public trust

18
Section 55 of DPA

• Adequate security and access are vital
• Information blagging is common
• Centralised information databases can add to this
• Protecting privacy is important to individuals
• ICO are calling for increased powers under
  Section 55 of the DPA
• Unlawful obtaining or disclosure of personal data
• Important safeguard to protect individuals who
  have no choice but to provide their personal
  information

19
General ICO Concerns

• Increasing pace of central databases
• National Identity Register
• Children Act databases
• National Care Record System
• Increased pressure for information sharing
• Cabinet Office (Report and Misc 31), CST, Academy
  of Medical Sciences
• Privacy friendly options are preferable
• Anonymisation/pseudonymisation
• Federated identity management etc

20
What concerns individuals?

• ICO research results 2005
• Protecting personal information third most
  important social concern, after preventing crime
  and improving standards in education
• Increased perceptions of information
  mismanagement and loss of control over personal
  data

21
What concerns individuals?

• Confidence in different types of organisation
  (public sector)
• NHS 64
• Police 54
• Government depts 42
• Local government 36
• DWP 31
• IR 28
• Schools 16

22
What concerns individuals?

• Confidence in different types of organisation
  (private sector)
• Insurance companies 47
• Financial orgs 46
• Mail order cos 42
• CRAs 24
• Charities 22
• Telecomms 20
• Shops 20
• Internet sites 16

23
Conclusion

• Where sharing information is justified, necessary
  and proportionate, e.g. to protect those at risk,
  DPA is not a barrier
• Provides sound framework for sharing in a secure,
  lawful and reasonable way
• We look at the overall picture wide range of
  info sharing projects in place/underway and
  individuals are concerned about privacy. Privacy
  considerations must be built in
• Where possible, use privacy enhancing techniques
• Get input from the ICO!

24
Contact us.

• Information Commissioners Office
• Wycliffe House
• Water Lane
• Wilmslow
• SK9 5AF
• Switchboard 01625 545700
• Helpline 01625 545745
• e-mail mail_at_ico.gsi.gov.uk
• www.ico.gov.uk