This site requires Javascript to function correctly requires the use of cookies. Continued use of this site indicates that you accept this policy. More information.

Cookies and your privacy

In accordance with the ICO's EU e-Privacy Directive and to help protect your privacy we are making you aware of the use of cookies on this site.

We use these to aid in improving and maintaining our website. Cookies are used for functionality and to track visitor behaviour on this site, primarily for Google Analytics.

Google Inc are members of the US Safe Harbor Scheme. This scheme allows the transfer of data from within the EEA to countries that are outside of the EEA without having to enter into a specific data transfer agreement. Companies that sign up to the scheme are deemed to provide adequate protection for personal data transmitted from Europe.

More information on the cookies set by Google Analytics.

This site also makes use of other essential Anonymous cookies, and the site won't work as expected without them. If you don't accept these anonymous cookies some features of the site may be unavailable.'s full privacy statement.

Digital public sector news, research & engagement

Monday 27 December 2010

Scottish privacy principles could become UK benchmark

A set of principles for identity management and privacy drawn up by the Scottish government are likely to become a benchmark for all public bodies in the UK. The principles require Scottish public bodies to obtain only the minimum necessary personal information on citizens and to refrain from aggregating data in a single space. They also propose that citizens be given secure logins to view and correct information held about them.

The principles were drawn up by an expert group that included the assistant information commissioner for Scotland, prominent lawyers, activists and academics as well as Alan Kirkwood, chair of Socitm Scotland and Jerry Fishenden of Microsoft UK.

They cover five topics: proving identity and entitlement; governance and accountability; risk management; data and data sharing, and education and engagement.

Among other things, the guidelines say that public service organisations "should seek to avoid creating large centralised databases of people's personal information". Rather, data should be kept in purpose-specific stores, to be drawn together "if there is a business need to do so". As far as possible, information about use of services (transactional data) must be stored separately from personal data.

For frequently-used services requiring identification, people should have a simple way to register once, and thereafter be able to access the service by producing a token showing their entitlement rather than unnecessary personal information.

Where personal information has to be stored and shared, it should be accompanied by metadata about the data source, permitted uses and retention period. Individuals should have "simple, quick and effective means" to access information held about them. These could included "secure electronic acccess to check and correct the data that is held on them", the guidelines say, though they note that any such provision would need to be audited and regulated.

In a statement accompanying the publication, Christopher Graham, the information commissioner, urged "all Scottish public authorities, not just the Scottish government" to adopt the principles "as a minimum standard". Graham hinted that the principles would be treated as best-practice guidance for other parts of the UK, saying that when imposing penalties for breaches of the Data Protection Act, he takes in to consideration "among other factors, the level of compliance with best practice guidance issued both by my office and by other relevant parties".