Scottish privacy principles could become UK benchmark
A set of principles for identity management and privacy drawn up by the Scottish government are likely to become a benchmark for all public bodies in the UK. The principles require Scottish public bodies to obtain only the minimum necessary personal information on citizens and to refrain from aggregating data in a single space. They also propose that citizens be given secure logins to view and correct information held about them.
The principles were drawn up by an expert group that included the assistant information commissioner for Scotland, prominent lawyers, activists and academics as well as Alan Kirkwood, chair of Socitm Scotland and Jerry Fishenden of Microsoft UK.
They cover five topics: proving identity and entitlement; governance and accountability; risk management; data and data sharing, and education and engagement.
Among other things, the guidelines say that public service organisations "should seek to avoid creating large centralised databases of people's personal information". Rather, data should be kept in purpose-specific stores, to be drawn together "if there is a business need to do so". As far as possible, information about use of services (transactional data) must be stored separately from personal data.
For frequently-used services requiring identification, people should have a simple way to register once, and thereafter be able to access the service by producing a token showing their entitlement rather than unnecessary personal information.
Where personal information has to be stored and shared, it should be accompanied by metadata about the data source, permitted uses and retention period. Individuals should have "simple, quick and effective means" to access information held about them. These could included "secure electronic acccess to check and correct the data that is held on them", the guidelines say, though they note that any such provision would need to be audited and regulated.
In a statement accompanying the publication, Christopher Graham, the information commissioner, urged "all Scottish public authorities, not just the Scottish government" to adopt the principles "as a minimum standard". Graham hinted that the principles would be treated as best-practice guidance for other parts of the UK, saying that when imposing penalties for breaches of the Data Protection Act, he takes in to consideration "among other factors, the level of compliance with best practice guidance issued both by my office and by other relevant parties".