Lead policy officer says public authorities should form data protection teams and carry out privacy impact assessments
Local authorities should not be deterred from data sharing initiatives by the Data Protection Act (DPA), the lead policy officer of the Information Commissioner’s Office (ICO) has told senior council officials.
Stacey Egerton said the organisation recognised the benefits that can be achieved through sharing initiatives and that, if they approach it correctly, the DPA “should be an enabler”, not a barrier.
She was speaking at the Digital Authority Forum, staged by UKAuthority and The MJ in London yesterday, making point there are widespread misconceptions over the implications of the act.
One is that it is always necessary to obtain an individual’s consent to share their data, while the law only requires that they should be informed. This often combines with confusion over a complex legal framework and cultural barriers inside organisations – notably a fear of getting sacked for breaking the law – to stand in the way of efforts to improve services by sharing data.
This can work against public expectations of personal data being shared more freely between organisations to provide services.
Egerton highlighted two steps that could promote good practice. One is to carry out privacy impact assessments before any data sharing initiatives.
“Our approach is very much about promoting privacy rights from the beginning, and bear in mind that under the new European legislation (the EU General Data Protection Regulation) due come into force in 2018, privacy impact assessments will be mandatory for most projects,” she said. “It will no longer be good practice but a must.”
The other is the creation of data protection teams. She said the role often sits within an IT department, but that the new EU law requires that organisations have a data protection officer. This should assert the importance of the role and help organisations find the right balance in any initiatives.
She also directed the audience towards the ICO’s data sharing checklists, which provide guidance on whether it is permissible to share data systematically or for one-off requests.
“There are still big improvements to be made in all sectors in terms of promoting data protection and governance and pushing it up the agenda,” she said.
“It comes from staff training, making sure they are aware of the issues arising, and working together. I’ve been surprised by how reluctant organisations are to share knowledge, but what’s the point of reinventing the wheel when you can share.”
She added that organisations should reassure staff who are fearful what will happen if they get things wrong, and pointed out that the ICO has never fined an organisation for sharing data incorrectly as it sees the benefits and wants to spread good practice.
“We want to help people break down the barriers and achieve what you’re trying to do,” she said. “There are benefits from data sharing for the organisation in complying with the law and building trust and confidence internally and externally.
“It also has cost benefits that become societal benefits, in areas such as combating fraud and supporting troubled families.”
Image from stockmonkeys.com, CC 2.0 through flickr