The creation of such a database has so far been prevented by the Data Protection Act (DPA), but the government is reportedly planning to ease privacy protection laws to make way for data sharing between departments.
The DPA has been in place for over two decades. Before that, organizations bought, sold, and passed on personal information held in their databases to other organizations without the prior knowledge or consent of the individuals concerned. The DPA has put an end to all that very effectively. Organizations now need the individual’s permission to pass their data to other departments or companies.
Furthermore, private individuals can register with telephone, fax, and postal preferences services to stop the deluge of unsolicited sales letters, telephone calls and faxes that they would otherwise receive.
The DPA applies to all, to the public sector too, where compliance with it has been high on the government agenda to date. For example, the UK’s five year long e-government program mandated that councils improved their document records management processes by identifying areas where existing records management policies had to be improved specifically to meet the requirements of Freedom of Information and Data Protection legislation (the G19 priority outcome).
Unfortunately, the DPA has also had some unexpected side effects. It resulted in much over-reaction in some areas. For example, parents at some schools were told that they could no longer photograph school plays, for fear of breaking the law. Health workers became so concerned about the risk of litigation that, in some cases, they stopped writing the true diagnosis of cases in case it led to private prosecution by those patients who accessed their records under DPA.
In more recent years, the Information Commissioner’s Office has acted to dispel myths about the DPA by providing advice on specific scenarios, but it is not always easy to understand how the law applies in different cases.
In 2005/6, the National CRM (customer relationship management) Programme which set out guidelines for CRM projects for the public sector, indicated that, under DPA rules, local authorities could not transfer citizen data held in their council tax databases to their CRM systems. There were also suggestions that the Government Connect project, which is to provide single sign-on to the UK government’s online services, could prove to be unlawful under DPA.
The situation was not helped when, at the time, none of the government departments concerned could provide a convincing answer to the problem. Now, once again, compliance with the DPA is under the spotlight as the government attempts to deliver its agenda for transforming public services. Data sharing is a key part of that and is causing unease in the sector, hence the plans to change the law.
While this has been going on in the public sector, the private sector, in contrast, seems to have found ways of operating within the DPA framework. For the past 20 years, the sector has continued to modernize services in a variety of ways; whether through new integrated IT systems, or new service models such as outsourcing.
Data sharing on a national scale is going to be very challenging, with many data quality and integrity issues and barriers. Such an ambitious aim is unlikely to be achieved. A different approach would be to learn from the private sector, and deliver service modernization at a more local level, without driving a coach and horses through much needed privacy protection laws.