Wednesday, October 11, 2006

'Data Protection means whatever we want it to mean'

Baroness Ashton, responsible for pushing the information-sharing free-for-all that is the Children Act 2004 through the Lords, and now 'Information Rights Minister' at the DCA, is interviewed in egov monitor. Amongst other things, she says:

The Data Protection Act (DPA) neither provides a power to share data, nor does it actively bar the legitimate sharing of data. The DPA provides a framework for the proper use of personal data. In particular, it requires data to be processed (and processing can include sharing) fairly and lawfully - the first data protection principle - but it does not specify the means by which processing is to be regarded as "lawful". Government agencies must therefore, be certain that they have a lawful basis for the data sharing/processing in question. This lawful basis can, in the UK, be via Common Law or via statute law.

We are considering the extent to which changes may need to be made to statute law to enable fully-effective data sharing throughout the public sector – but the framework of protection provided by the DPA and the HRA will remain in place.

Roughly translated, this means that where the DPA does not currently allow information to be shared, a statutory duty will be created that creates an exception to any obstacle the DPA presents.

Not only does this make a mockery of data protection; it shows blatant disregard for the EU Directive that the Data Protection Act was meant to embody. As international lawyer Douwe Korff says:

Note again the basic thought that all that the DPA and the HRA require is that the government provides a statutory basis for whatever it wants to do. They still don't grasp that the European requirement is that data sharing requires a legal basis AND must be "necessary"/proportionate to a (narrowly-defined) legitimate aim. They basically feel that if something is required - or even just allowed - by law, or in a regulation based on a law, that is sufficient.

Of course it is easy for them to churn out any regulation that allows whatever they like, while what they should do is look very closely at what rules in such laws or regulations would be proportionate and what rules would not be, strictly tested, and what procedural/oversight safeguards are required to ensure compliance.


Post a Comment

<< Home