nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Wide-ranging UK DATA SHARING moves one step closer

Report shelved as government looks for quick fix

By Amberhawk Training, 10 Oct 2014

Comment I suspect the UK government is going to ditch the Law Commission recommendations on data sharing; this is because it wants a quick implementation of its own extensive data sharing proposals. In short, general data sharing powers are now on the political agenda again.

This is the third time in a decade the government has tried to obtain data sharing powers that apply in circumstances unconnected with the usual suspects (e.g. crime, national security, and law enforcement).

In 2006, the government tried with the Identity Card Act to permit general public sector access to the Identity Card database in order to help deliver efficient and effective public services. This was followed with wide data sharing powers in 2008's Coroners and Justice Bill; after considerable opposition in the upper house of parliament, these were replaced by the data sharing code of practice provisions (which we all love).

Third time round has happened with these proposals.

The government has learned that it needs to engage with its opponents. So for the last year, the Cabinet Office has been holding a number of public meetings with the objective of “exploring whether some of the barriers to sharing and linking different datasets in government can be removed in order to develop a better understanding of the economy and society; deliver more targeted and joined-up public services; and save public money lost through fraud, error and debt”.

In many cases, the government insists that any data sharing occurs with the consent of the data subject. However, the documentation also indicate that consent is not the only way for data sharing to occur.

This document states that government intends to take a general data sharing power which “ intended to be used in situations where...”:

“The objective could not be met without data sharing", or

“It is not realistic and practicable to use consent to achieve the intended outcome or use of consent would not meet the criteria of free and informed decision”, or

"Analysis of anonymised data would not achieve the intended outcome”

Although this is a discussion document, I think the chosen wording gives rise to several concerns. For instance, the data sharing power has not been described in terms such as being "necessary" in association with a pressing social need that has been identified.

And what does “not realistic” mean in practice? Could these powers be used when so many data subjects refuse consent to the data sharing, that it would then become “realistic” to override these refusals?

In addition, who decides when it “is not realistic” to rely on data subject consent or what are the circumstances when anonymous analysis “would not achieve the intended outcome” (Does this extend to data sharing of health and social work records for instance?). As with the two previous data sharing initiatives, the devil is in the detail.

It is no good, as the document does, in providing examples of “beneficial” data sharing. The problem is that when powers are enacted, they can be used well into the future. As with the adage “puppies are not only for Christmas”, once these powers are available, they can be used indefinitely until repealed.

In fairness to the points made in the document, it does identify the problems when “very broad powers” are used, but proffers no solution to this, unlike this.

Privacy safeguards?

The 28 July documentation claims that the privacy safeguards against excessive data sharing include: "The Data Protection Act 1998; Law of Confidentiality; Article 8 of the European Convention on Human Rights and EU legislation on data sharing". I will now show when these legal safeguards are unlikely to apply.

For instance, with respect to the common law of confidence, it is well known that one can always set aside a confidentiality obligation if there is a statutory requirement to disclose such confidential personal data. So as soon as ministers exercise their data sharing powers to demand disclosure, so it's “goodbye” common law of confidence.

It is also well known that the Human Rights Act is under threat of abolition by the Conservative ministers in the coalition, who are currently driving the data sharing agenda. So if a Conservative government is returned after the next Election, we don’t know the nature of the Article 8 replacement. As for Europe – we might leave following an in-out referendum! In both cases, the safeguards on offer are uncertain.

With respect to the Data Protection Act (DPA), I have often argued that once statutory powers are applied to a disclosure, then the disclosure is almost invariably “lawful” and the disclosure itself can be subject to the exemption from the non-disclosure provisions (S.35(1)). This exemption can exclude several data protection principles (Fairness, Second to Fifth Principles) and the rights that could block disclosure.

The Third Principle can be neutered if broad purposes are defined in data sharing legislation. For example, if a controller says "personal data item X is relevant to a housing benefit purpose", the claim can objectively be tested: essentially, we can ask “is the data item relevant or not relevant to the housing benefit purpose?”.

However, this test is substantially diminished if the purpose is broadly defined as in "the purpose of the efficient delivery of public services"; many items of personal data could satisfy this requirement.

In summary, when a purpose is narrowly defined, the more precise the relevance test of the Third Principle becomes, and the more protection there is from the DPA. The converse is also true; the broader the purpose description, the less precise is the relevance test and the poorer the protection afforded by the DPA. The same argument applies to the retention criteria of the Fifth Principle as it, like the Third, the level of protection is linked to "the purpose" of the processing.

In summary, there will be not much data protection on offer when statutory data sharing powers are exercised.

What's missing....

Some of these are listed below; they are very easy to identify if, unlike the document, one asks the simple question “what could go wrong?”.

Whenever data subject consent is impracticable, then there has to be a right for any data subject to object to any further data sharing, at any time, without providing a reason. In fact, transparency arrangements should offer an “opt-out”. Exceptions to this right to object can be catered for and easily be identified (e.g. to permit data sharing in relation to fraud).

At the moment, there is no right to object that would apply to non-consensual data sharing, and it is important to understand that the current right to object to the processing under the DPA (S.10) won’t apply.

As soon as statutory powers for data sharing are exercised any data sharing required by law would be legitimate in terms of Paragraph 3 of Schedule 2, whereas the current right to object in the DPA only applies when paragraph 5 and 6 applies to the data sharing. In addition, the data subject has to show that data sharing would cause or likely to cause “unwarranted” and “substantial” damage or distress; this is a high barrier to the exercise of this right.

The second safeguard, I suspect, is needed when personal data are used for data matching and/or profiling; the Information Commissioner should be tasked to produce a statutory code of practice if data sharing involves these two.

Thirdly, there needs to be a counter-balance to the exercise of ministerial powers by Statutory Instrument (SI) as the UK parliament hardly ever rejects the use of powers granted to ministers (even when the SI is subject to debate in a Select Committee). The Information Commissioner should be given the explicit right to apply to court on the grounds that the processing of personal data is disproportionate in terms of Article 8 of the Human Rights Act. This raises the prospect of the power being declared unlawful and the SI being struck out.

Wide-ranging UK DATA SHARING moves a step nearer

In other words, there needs to be an easy-to-use, free of charge, mechanism whereby data subjects could gain access to the courts in order to test the lawful basis of the data sharing; allowing the commissioner to enforce unlawful processing in terms of Article 8 is one example of such a mechanism.

The documentation is silent on the issue of redress for a data subject who has been damaged by non-consensual disclosures; one suspects that the aggrieved data subject is supposed to take a compensation claim through the courts. This redress thus only applies in the most damaging of circumstances.

You could easily have the commissioner (or some ombudsman) recommending compensation if there is detriment to the data subject caused by the data sharing. This could, for example, arise if a data subject is denied a benefit on the grounds of sharing inaccurate personal data.

Sadly, there is currently no indication that data sharing, once commenced, will cease. For instance, in my view, if data sharing powers are used in non-law enforcement circumstances, there must be a document which explains the benefits achieved by data sharing in quantifiable terms. By implication, if the stated objectives are not realised, then data sharing should cease.

Instead, the document suggests periodic reviews so that improvements can be identified (i.e. so that data sharing continues), or the existence of oversight by parliamentary committees that can make recommendations. Both these are window-dressing — once powers are enacted, data sharing continues and recommendations are just that (something that can be ignored).

Another way of achieving this cessation of processing objective is to have a “sunset” clause on each data sharing initiative. This would require data sharing powers to be renewed under an independent process, and enables an effective cost-benefit analysis on the basis of past performance, before data sharing powers are renewed.

As I said, these simple protections are missing and I have yet to identify any effective privacy protection to prevent excessive data sharing or redress should data sharing go pear shaped.

Concluding comments

The government’s timetable is tight. A white paper is expected by Christmas and a period of public consultation ending in March. This means that there will be a civil service briefing pre-prepared for an incoming government after the next General Election. Such a timetable excludes the considered approach suggested by the commission.

With all political parties promising considerable deficit reduction targets (albeit different ones), then one suspects that all civil servants need do is to hint at unquantifiable but huge savings that arise from wide data sharing (just as they did in 2006 and 2008).

It is therefore more likely that these proposals will be implemented; for the government, I suspect, it is a case of third time lucky.

Just to be clear. I am not against data sharing; I am against data sharing that leaves the data subject exposed with no easy means of redress.®

The Register - Independent news and views for the tech community. Part of Situation Publishing