Tuesday, March 18, 2008

Report by Parliamentary Committee

The Joint Committee on Human Rights has published its recent report on data protection and human rights (also mentioned in Out-Law news). Main conclusions to be drawn from the report:

"Conclusions and recommendations

1. We agree that data sharing is not, in human rights terms, objectionable in itself. Indeed, the sharing of personal data may sometimes be positively required in order to discharge the State's duty to take steps to protect certain human rights, such as the right to life, and it is also in principle capable of being justified by sufficiently weighty public interest considerations. However, the sharing of personal data will inevitably raise human rights concerns, and the more sensitive the information the stronger those concerns will be. Government must show that any proposal for data sharing is both justifiable and proportionate, and that appropriate safeguards are in place to ensure that personal data is not disclosed arbitrarily but only in circumstances where it is proportionate to do so. (Paragraph 14)

2. We fundamentally disagree with the Government's approach to data sharing legislation, which is to include very broad enabling provisions in primary legislation and to leave the data protection safeguards to be set out later in secondary legislation. Where there is a demonstrable need to legislate to permit data sharing between public sector bodies, or between public and private sector bodies, the Government's intentions should be set out clearly in primary legislation. This would enable Parliament to scrutinise the Government's proposals more effectively and, bearing in mind that secondary legislation cannot usually be amended, would increase the opportunity for Parliament to hold the executive to account. (Paragraph 20)

3. The attention paid to human rights, outside of the legal department, is likely to be very scant if the concept is regarded solely in terms of compliance with the Human Rights Act. In our view, the same is true of data protection and the Data Protection Act. Setting out the purposes of data sharing and the limitations on data sharing powers in primary legislation would give a clear indication to the staff utilising such powers of the significance of data protection. (Paragraph 21)

4. Having heard the Minister's comments, we are concerned that the role of data protection minister is far too limited, being related exclusively to the maintenance of the legislative framework for data protection. It is clearly sensible to require Government departments to take responsibility themselves for abiding by the Data Protection Act, but we would expect there to be a degree of inter-departmental co-ordination to share best practice and help deal with the fall-out from significant breaches of data protection by departments. We heard no evidence that any co-ordinating activity of this sort is currently carried out: if it is, then the data protection minister is not involved. (Paragraph 25)

5. We recommend that the role of data protection minister should be enhanced. In addition to overseeing the data protection legislation, the data protection minister should have a high-profile role within Government, championing best practice in data protection and ensuring that lessons are learnt from breaches of data protection. (Paragraph 26)

6. Recent breaches in data protection appear mostly to have resulted from human error and procedural lapses rather than technological problems. However, it would be wrong to see these errors and lapses as unfortunate "one-off" events. In our view they are symptomatic of the Government's persistent failure to take data protection safeguards sufficiently seriously by defining data sharing powers more tightly in primary legislation and including detailed safeguards against arbitrary or unjustified disclosure. The rapid increase in the amount of data sharing has not been accompanied by a sufficiently strong commitment to the need for safeguards. The fundamental problem is a cultural one: there is insufficient respect for the right to respect for personal data in the public sector. (Paragraph 27)

7. We are surprised, and disappointed, to find that senior public officials need to be reminded of the main principles of the Data Protection Act. (Paragraph 28)

8. It is clear to us from a great deal of our work, and in particular recently our inquiries into human rights of older people in healthcare and adults with learning disabilities, as well as from this inquiry, that human rights are far from being a mainstream consideration in Government departments. The Minister has identified the cultural barrier to ensuring that personal data is adequately protected by the staff who handle it, but much more needs to be done to tackle this problem successfully. We have so far seen no evidence that the human rights champions in departments have made any impact, particularly in relation to front line staff. We will continue to scrutinise their work carefully. (Paragraph 34)

9. We await the outcomes of the various reviews of data protection with interest. We expect the Government to keep us informed about its proposals for reform in this area. We recommend that, in its responses to the reviews, the Government should acknowledge the close connection between data protection and human rights; and explain how it proposes to ensure that a culture of respect for personal data is fostered throughout Government. (Paragraph 35)

10. We see the Information Commissioner as an important defender of human rights in relation to data protection and freedom of information. His office should be regarded as an important part of the national human rights machinery. We support proposals to enhance the Commissioner's powers and the resources at his disposal to ensure that he can discharge his responsibilities more effectively.(Paragraph 39)

11. We support initiatives to ensure that data protection issues are dealt with at an early stage in the planning of Government projects, including legislative proposals. We intend to scrutinise how privacy impact assessments are used in practice. (Paragraph 40)

12. Recent breaches in data protection by Government departments do not encourage us to feel confident about the security of data collected as part of the National Identity Register project. We intend to take a close interest in the Government's detailed proposals for the National Identity Register as and when they emerge. (Paragraph 47)

13. We regret that it has taken the loss of personal data affecting 25 million people - a "train crash", in the words of the Information Commissioner - for the Government to take data protection seriously. Data protection is a human rights issue and should not be treated as a fringe concern, a matter for rarely-consulted policy documents and procedures which are all too easily ignored. The recent data protection breaches have revealed the complacency of the Government's repeated refusal to accept our recommendations that more detailed limits and safeguards be included in Government bills which authorise the sharing of personal data. The problem is symptomatic of a deeper problem to which we have drawn attention in recent reports and on which we recently commented in our annual Report on our work for 2007: the failure to root human rights in the mainstream of departmental decision-making. (Paragraph 49)

No comments: