Cabinet Office plans to increase data sharing among government departments and other public-sector bodies will require a new "consent exemption" to legalise the sharing of sensitive personal data.
That is the view of Kathryn Wynn, a data protection law specialist and senior associate at law firm Pinsent Masons. Even with such an exception, she warns, public-sector bodies might still have difficulty justifying sharing sensitive personal data under the Data Protection Act, without first notifying the individuals concerned.
It follows revelations that Cabinet Office minister Francis Maude is planning new laws that would provide the public sector with a "fast-track mechanism" to enable personal data collected by one government department or public-sector organisation to be used by others for purposes other than those originally intended.
According to the reports, even data collected by doctors or the police could be shared with other bodies without individuals' consent or notification. This, however, might contravene as many as four of the eight data protection principles established under the Data Protection Acts 1984 and 1998.
In an article on a website run by the law firm, Out-law.com, Wynn said: "At the moment, if an organisation wishes to share sensitive personal data, it must satisfy the first data protection principle. The data sharers would be required to ensure processing is fair and lawful, and that individuals have been issued with a ‘fair process notice'."
She added: "The data sharing bodies may also be able to rely on the ‘legitimate interests' justification for processing data without consent, provided that they have made an assessment to ensure that the data sharing will not be prejudicial to the individuals."
It is not yet clear, however, whether Maude is proposing this relaxation in data protection for investigative or operational purposes. Many public-sector organisations, encouraged by central government, have forged ahead with shared services, such as running common functions from the same technology platforms. Many are also experimenting with cloud computing.
These initiatives, though, are driven by a need to save money and to improve long-term cost efficiency, even if establishing such initiatives has a high up-front cost.
There remains a suspicion that local authorities, police forces and other public-sector bodies are increasingly sharing personal data in ways that may be illegal under the Data Protection Act and that the aim is to retrospectively normalise these activities, and to make cross-governmental data sharing the norm in future.