The injustice of data sharing

The Coroners and Justice Bill has had its second reading in the Commons and gone to Committee. Why should we care about a Bill that is, on the face of it, intended to reform the operation of Coroners and provide some revisions on sentencing procedures? The answer is hidden in Clauses 152-154 which, quite simply, exempt public authorities from compliance with the Data Protection Act, and allow them to do whatever they please with personal information. Coroners and Justice represents one of the most fundamental attacks on privacy ever set before Parliament.

Let’s take a look at some of the relevant text that is so inflammatory:

“…a designated authority may by order (an “information-sharing order”) enable any person to share information which consists of or includes personal data.

“…a person shares information if the person—

(a)   discloses the information by transmission, dissemination or otherwise making it available, or

(b)   consults or uses the information for a purpose other than the purpose for which the information was obtained.

“A designated authority may make an information-sharing order only if it is entitled to make the order by virtue of section 50C and it is satisfied—

(a)   that the sharing of information enabled by the order is necessary to secure a relevant policy objective,

(b)   that the effect of the provision made by the order is proportionate to that policy objective, and

(c)   that the provision made by the order strikes a fair balance between the public interest and the interests of any person affected by it.”

Consider what you’ve just read. A designated authority (minister) can issue a sharing order that allows the sharing or publication of personal information, regardless of the use for which the relevant consent was obtained. They can put it on the Internet, pass it to a private company, or use it in any way they wish. They can issue that information order simply to secure ‘a relevant policy objective.’ And it has to be done in a balance between the interests of the individual and the ‘public interest.’

It is widely acknowledged that the source of this is in last year’s Data Sharing Review, carried out by the Information Commissioner Richard Thomas (acting in a personal capacity) and Chair of the Wellcome Trust (now Sir) Dr Mark Walport. There was little surprise at the time that the report called for greater powers for the ICO, and the provision of greater data sharing powers for medical research. There’s nothing wrong with those recommendations, but the way that they’ve been interpreted for the Bill is outrageous.

Traditionally, when public authorities want to share information for purposes for which they do not have consent, they have to create a legal gateway to do so. A great example of this is the Work & Pensions Longitudinal Study, which allows statistical analysis of DWP benefits data and HMRC tax data. Why is that so sensitive? Well, imagine – for example – what would happen if someone were to publish the economic contribution of an immigrant minority to a given area, and demonstrate that particular minority in that particular area was a net drain on the taxpayer? Imagine – for example – the consequences of those most in need of benefits being too scared to apply for them because of outstanding tax bills. The consequences could result in loss of life. The statistical community at DWP took this so seriously that they set in place mandatory data protection training for anyone wanting to use this data; a detailed application process for any researcher wanting to use the data, with anonymisation techniques tailored to ensure that the risk of identifying a given individual is minimised; limited periods of access for each given researcher, who have to apply to renew that access every few months, together with a justification plan to prove why they need it; an Ethics Committee to scrutinise and accept/reject every application; and a host of statistical and audit controls over that data. The list of safeguards goes on and on. And Coroners and Justice would render the whole process meaningless when a less scrupulous Department could apply for a sharing order without the nuisance of proper checks and balances.

The consequence is a complete undermining of data protection in public authorities, which could use data pretty much how they please. They could publish it, aggregate it, send it to private companies, do anything they please. The Government has argued that the Bill incorporates checks and balances, but that was the same argument applied to the Regulation of Investigatory Powers Act – a Bill argued through for national security, which now allows Councils to film dog-walkers or follow parents home from school. These safeguards are always eroded in the face of departmental policies and Ministers over-zealously using personal information to deliver their commitments.

Coroners and Justice will undermine public confidence in providing personal information for healthcare, tax, benefits or any other social purpose. It will erode remaining confidence in the government’s massive database programmes. Existing controls – such as those over the National Identity Register – will be rendered meaningless. It has the potential to become a topic as inflammatory as the Poll Tax. And the worst bit is that once the data sharing starts, there will be no way to reverse it out – in other words, once the Bill goes through, it’s all over for privacy.

There’s little surprise that the likes of Liberty and NO2ID came out against this Bill very quickly indeed. What’s more surprising is that relatively conservative groups such as the BCS have published a statement condemning it. Most surprisingly, the Information Commissioner has now turned on it as well, and that’s despite the fact that the Bill makes provision for greater powers and greater funding for his office.

I’m very concerned that Coroners and Justice won’t receive the scrutiny, publicity and full-frontal opposition attack that it deserves. The Conservatives have spoken against it, but at the same time Chris Grayling is on record as saying that the Tories won’t make such a fight over abstract civil liberties issues. This is not an abstract issue. It’s real, it’s here, and the fact that it is buried in the depths of an unrelated Bill is a distressing sign of how tolerant we have become of sneaking this sort of full-frontal attack on our liberties through the back door.

I am a keen supporter of the need for a population-scale authentication infrastructure within the UK. I would like to see greater sharing of personal information in appropriate circumstances with appropriate controls. I think that the appropriate and properly controlled use of medical data for research purposes could deliver incredible leaps forward for the human race. I am certain that better use of the data that we already have could be a contributing factor to lift us out of the recession. These things would be good for public service efficiency and But the relevant clauses of Coroners and Justice are repellent and should be struck from the Bill, to be replaced by a more thoughtful, balanced and above all sane approach to data sharing between public authorities and the private sector – an approach such as that which has worked very successfully at DWP for some years now.

So what’s to be done? Write to your MP. Encourage your professional bodies to speak out against it. Campaign in any way you can. And be very, very scared if the Coroners and Justice Bill is passed into law without clauses 152-154 being struck from the text.

[Edited 23/02/09 to add further links]