Gateway reviews must look at privacy, says Information Commissioner

Bamford: we do not want government systems to contravene data protection laws

The government is in talks with the personal information watchdog over plans to assess the privacy implications of public sector IT projects before they are launched.

The Information Commissioner’s Office (ICO) wants privacy impact assessments to be part of the Gateway review process, which examines the viability of IT schemes. But the government only wants project-specific controls.

Compulsory assessments would save money and reassure the public, said assistant information commissioner Jonathan Bamford.

“We do not want the government to develop systems that may contravene data protection law and cost millions of pounds to put right,” he said.

“And we do not want systems to be developed that will not enjoy public confidence because people feel that their privacy is being eroded.”

Critics claim that technology has moved the privacy goalposts since legislation enabling major projects such as the identity card scheme was passed.

Gateway reviews assess government programmes at five different stages ­ from the initial business case through to looking at the lessons that have been learned from implementation.

Privacy impact assessments could guard against accidental violations because of technical progress, according to Bamford. “The implications of function creep in a project must be assessed before it goes ahead,” he said.

A privacy impact assessment (PIA) is an official ICO process that enables organisations to anticipate and address the likely effects of new initiatives, foresee problems and negotiate solutions.

The Office of Government Commerce (OGC) said the department will consider privacy issues for specific projects, but not as standard. “The use of PIA will be considered by the OGC as part of the evaluation of their risk management practices in appropriate projects,” said a spokesman.