Information Sharing Sheila Logan Information Commissioner’s Office Employability Partnership Event Glasgow 13 August 2009
Information Sharing • An overview of the benefits and risks of information sharing. • Sections of the Data Protection Act relevant to the sharing of personal information and the ICO Framework Code of Practice.
Information sharing – Benefits • Multi-agency co-operation. • Personalisation of services. • Crime reduction partnerships. • Anti-fraud activity. • Convenience – one stop shop.
Information sharing -Risks • Lack of understanding. How and why information is being shared? • What are the consequences? • Difficulty exercising rights- where do you go? • Concerns over sensitive information. • Lack of responsibility. • Different priorities.
The ICO Framework for Information Sharing • The Framework breaks down compliance into easy steps and helps organisations develop consistent standards. • The Framework looks at retention of shared information, security, access and fair processing notices.
First Principle (key principle) • Personal data shall be processed fairly and lawfully – Schedule 2 condition; • Sensitive personal data – Schedule 2 and 3 conditions.
Seventh Principle (security) “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
Information sharing in practice • Define why information is to be shared • Clarifying legal powers and proportionality • Ensure fair processing • Manage information sharing • Identify who is responsible • Procedure • Decide what information is required, how it is checked for accuracy, who needs to see it, how long it is retained for, who provides access, etc. • Management controls to ensure above is followed • Audit • Review regularly
Information Sharing in Practice Underlying principle – Is the Information sharing about: discharging essential services which you are under a duty to provide, OR assisting individuals in securing additional Services which may be of benefit to them?
Information Sharing in Practice • Difficulties and Perception The DPA 1998 does not prohibit information sharing in circumstances where this is permitted. • Problems are often to be found in governing legislation Are legal powers regimes sufficiently robust? New government strategies without statutory backing. Thinking changes rapidly but legislative process is slow.
Information sharing in practice • Core measures to protect personal information • Making data protection the foundation of good business practice. • Culture that values and protects personal information. • Balanced and considered policy making. • Assessment of proportionality and risk. • Minimal information.
Information sharing in practice • Investment • Accountability • Scrutiny • Effective Regulation