The information commissioner has issued a stark warning that the government has not paid enough attention to the dangers of data sharing.
In pursuing its 'transformational government' agenda of greater data sharing, the government has not fully considered the implications for privacy, according to a Friday report by the information commissioner. While the government has concentrated on the benefits of increased data sharing, it has ignored the dangers, the data watchdog warned in the report.
"The tenor of the government's argument has focused closely on the benefits of data sharing, paying perhaps too little attention to the potential hazards associated with ambitious programmes of data sharing," stated the report. "The government has consistently laid itself open to the criticism that it considers 'data sharing' in itself an unconditional good, and that it will go to considerable lengths to encourage data-sharing programmes, while paying insufficient heed to the corresponding risks or to people's legitimate concerns."
The benefits of data sharing include more efficient bureaucracy, the government has consistently stated. However, the dangers of increased data sharing, including greater risk of people's personal details being misused or compromised, has not been acknowledged by the government, stated the report.
This situation has been exacerbated by events such as the loss of 25 million child-benefit claimant details last year by HM Revenue & Customs, and the loss of bank details by financial institutions. According to the report, their loss "served as stark illustrations of the risks posed by the 'information age'."
The Data Sharing Review Report was written by information commissioner Richard Thomas and Wellcome Trust director Mark Walport. According to the authors, there has been a refusal to acknowledge data-sharing dangers, and confusion is rife in both public-sector agencies and private-sector organisations as to how and when to share data.
"This is one of the areas of most confusion," Walport told ZDNet.co.uk at a press conference on Thursday. "Authorities involved in child protection complained that they couldn't get the information they need [from each other]. It's an area of a great deal of confusion."
Thomas recommended the government put a code of practice in place to alleviate this confusion, and clarify existing data-protection legislation.
However, he also recommended that in order to facilitate data sharing, if the government had a genuine need to remove or modify a legal barrier to data sharing, a fast track procedure needed to be implemented to repeal or modify data law. Thomas said this should still be scrutinised by Parliament.
Both Walport and Thomas declined to comment on the security and privacy implications of data sharing in individual schemes such as the UK ID cards programme, which plans to share people's identity data between banks, retailers and government agencies. However, Walport said that with this legal mechanism the government could scrutinise data sharing on a scheme-by-scheme basis.
Thomas and Walport made a number of recommendations for government data sharing. Organisations handling significant amounts of personal data should work out accountability and lines of responsibility, and train staff to handle data securely, said Thomas.
"There's a significant lack of public trust in data handling in general, and data sharing in particular," said Thomas. "There's got to be clear governance and accountability. Who is responsible for getting it right? If the top managers are assuming techie people are [responsible], that wouldn't be right; if the techies assume HR are doing it, that wouldn't be right."
One of the recommendations was that councils cease selling an edited version of the electoral register to commercial organisations, in order to increase public trust."There's a lot of concern out there," said Thomas. "People are uncomfortable with the idea of their information being sold to commercial organisations."
Thomas also recommended that the Information Commissioner's Office (ICO) be given powers in line with the Financial Services Authority, with the power to impose fines on organisations for "reckless" data breaches, and that the ICO be expanded from a single information commissioner to an executive board of commissioners, with greater powers and funding. The report stated that, at present, the information commissioner did not have enough powers to be truly effective.
"A large majority of contributors to the review expressed the consistent and strongly held view that the information commissioner and his office (ICO) have neither adequate powers nor sufficient resources to promote or enforce proper information-management practices," stated the report.