Data protection is at a crossroads for the UK’s IT decision makers and data managers – the very people who are tasked with interpreting national and international regulations for their organisations, so they can act within the law and avoid penalties.
The data protection regime in Europe is moving towards harmonisation, and enshrined within European Commission (EC) proposals for a single digital market is the “right to be forgotten”. In the US, what amounts to a privacy bill of rights is being drawn up to protect American citizens.
In the UK, the government seems to be swimming against this tide, with announcements that herald more intrusive data gathering, and broader terms for its retention.
These mixed messages are unhelpful, and leave decision makers adrift in terms of where their own responsibilities lie.
While the government’s opponents might claim that its data policies are driven by doctrine, that can hardly be the case; the Coalition is revisiting a strategy that was first proposed under Tony Blair.
In Opposition, the Conservatives pledged to sweep aside “intrusive, ineffective and enormously expensive” data policies, and to keep in check data-sharing between government agencies. But now, Cabinet Office minister Francis Maude is a standard-bearer for a “new intelligence sharing architecture” in which government departments will proactively share data about citizens.
Political expediency is one reason for the about-face: “the big brother state” is something that Opposition parties routinely oppose, regardless of their hue. But it is not the only one. The other is cost.
More and more government departments, councils and other government agencies are joining forces in shared services, often with the aid of private investment. In many cases, the aim is to find the savings mandated by George Osborne in his 2010 spending review. The vast majority of those cuts are still outstanding.
By sharing IT platforms, organisations are finding they are also sharing data, between themselves and their private partners. In some cases, there is a risk that isolated programmes may be illegal, or at least fall into legislative grey areas, or not be in the spirit of data protection regulations.
The government, then, is trying to remove legal obstacles to what is already happening, and the only way it can do that is by making legislation broader.
In some cases, new powers are only proposed, but may require amendment of the Data Protection Act. Others – such as the Protection of Freedoms Act 2012 – allow data retention about private individuals for years, in categories that are so broad as to be practically meaningless.
A right to be forgotten, then – unless someone is broadly of interest to the government and its agencies, including the police.
But does data-sharing across systems and organisations automatically create greater efficiency – as suggested by Dell’s Dr Andrew Litt? One working example is the NHS National Programme for IT, the greatest ever IT white elephant, the ultimate aim of which was to enable a seamless, digital conversation between patient and care provider.
On a local level, shared services may cost money to set up – hence the injection of private finance and risk mitigation – with ultimate payback being sometimes years in the future. They also create a tension between taxpayer obligation and shareholder value. Not a guarantor of quick savings.
The government, then, should be wary of having broad data-sharing aims that are unsupported by clarity – clarity in law, clarity in intention, and clarity of responsibility for data managers and custodians.
It may wish to create the “Data Bank of England”, in effect, but a free market in which citizens’ data is a currency traded for economic gain can only work if the government can prove it is a trusted data custodian. As our interview with ICO deputy David Smith suggests in many cases it simply is not.
It may also be against the spirit, if not the letter, of the Data Protection Act.
Chris Middleton, Editor