Investigators of the Information Commissioner’s Office ought to have the power to enter premises and inspect any data and any information, as in the Republic of Ireland.
That is among the recommendations of a data sharing review, for the Department for Business (BERR). The report was for the Ministry of Justice. <br><br>The ‘Data Sharing Review’ was by Richard Thomas, the Information Commissioner, and Dr Mark Walport, the Director of the Wellcome Trust. It points to Irish law, whereby it is an offence to obstruct such an investigator. The review implies that investigators would be around any site for a while: “To check an organisation’s compliance with data protection requirements may take some time, usually on-site, examining how policies, procedures and technologies are operating in practice and checking management and staff behaviours.” The threat alone, the review went on, should be enough to ‘secure the co-operation of most’. This will cost: larger firms registering to meet the DPA can look forward to paying more, under a ‘multi-tiered notification fee’. <br><br>Ironically, although the review proposes more forceful law for itself, it does not face up to the dilemma of people already in private security and investigation having lawful reasons – and clients – seeking to share data. In a section on law enforcement, the review admits: “Personal information must often be shared to protect national security, help prevent crime, and identify the perpetrators of crime. Agencies, typically but not necessarily in the public sector, are increasingly sharing or pooling relevant information.” However it goes on to duck the issue: “There is no simple answer to the question of when it might be appropriate to share personal information for enforcement and protection purposes.” The authors speak of judging benefits and risks, and even appeal vaguely to common sense and ‘circumstances’. <br><br>As for circumstances the authors point out: “For instance, following the terrorist attacks on the London Underground on 7 July 2005 there was little public concern about the extent of personal data sharing that ensued … just as surveillance footage is routinely screened for the purposes of identifying the perpetrators of serious crimes.” Oddly, the authors ignored the far more routine need by private investigators – acting on behalf of insurers, companies in debt and so on – to access data to trace debtors and others. Yet this has been the subject of disapproving reports by the ICO, titled What Price Privacy? The absense of the private investigation point of view was also ironic because the authors recommended ‘greater enforcement and inspection powers’ for the ICO , to investigate wrong-doing under the Data Protection Act (DPA). <br><br>Despite its call for the power to go into premises, the ICO has decided not to seek a change in the law, to order (as in some other countries, such as the United States) bodies to own up to a data security breach: “Not only would this add a significant extra burden for organisations but more worryingly, it could produce ‘breach fatigue’ among the wider public if it were to result in frequent and unnecessary notifications of minor incidents. This carries the very real danger that people will ultimately ignore notifications when there is, in fact, significant risk of harm.” The review recommended ‘as a matter of good practice, organisations should notify the Information Commissioner when a significant data breach occurs’. Generally, the review recommended transpraency, and respect for data. <br><br>The review’s final report concludes that:<br><br>there is a lack of transparency and accountability in the way organisations deal with personal information<br><br>there is confusion surrounding the Data Protection Act, particularly the way it interacts with other strands of law<br><br>more use could be made of the ability to share personal data safely, particularly in the field of research and statistical analysis<br><br>the Information Commissioner needs more effective powers, and the resources to allow him to use them properly. Or in the words of the foreword, a ‘strong regulator’ is needed: “It is essential that the regulator has sufficiently robust powers and sanctions available to it; and that it is resourced adequately … We also believe that stronger<br>inspection and audit powers are required and that new funding arrangements to enable effective enforcement are long overdue.” <br><br>In a foreword, Richard Thomas and Mark Walport, of the Wellcome Trust, said: “Repeated losses of sensitive personal information in both the public and private<br>sectors demonstrate the weakness of many organisations in managing how data are shared. The advent of large computer databases has allowed the loss of massive datasets in ways that were simply impossible with paper records.”<br><br>Among annexes to the report is an ICP code of practice, which has a section on security:<br><br>“Your key consideration should be to make sure that your security is adequate in relation to the damage to individuals that a security breach could cause. More sensitive or confidential information therefore needs a higher level of security. However, rather than having different security standards for different pieces of information, it might be easier to adopt a ‘highest common denominator’ approach, that is, to afford all the information you hold a high level of security. A good approach is for all the organisations involved in information sharing to adopt a common security standard, for example, ISO17799 [international standard for information security management] or ISO27001. Adopting the Government Protective Marking Scheme can also help organisations to make sure there is consistency when handling personal information.<br><br>2. A difficulty that can arise when information is shared is that the various organisations involved can have different standards of security and security cultures. It can be very difficult to establish a common security standard where there are differences in organisations’ IT systems and procedures. You should address problems of this sort before you share any personal information. It is the primary responsibility of the organisation providing the information to be shared to make sure that it will continue to be protected by adequate security once other organisations have access to it. There should be arrangements in place that set out who is allowed to access or alter a record.<br><br>3. Different organisations may have different cultures of security, and considerations similar to those outlined in the point above apply. Again, it is important that any relative weaknesses in an organisation’s security are rectified. This could be done by the organisations involved delivering a common training package, before any personal information is shared between them. Where an organisation employs another organisation to process personal information on its behalf, a contract must be in place to make sure the information remains properly protected. In some cases, for example where very sensitive information is involved, staff may be subject to a vetting procedure. If vetting is justified, staff from other organisations that have access to the information should be subject to equivalent security procedures.” <br><br>You can download the 74-page review at the ICO website:
or at the Justice Ministry website –
http://www.justice.gov.uk/reviews/datasharing-intro.htm
