FOI Man reviews a seminar hosted by the University of Winchester’s Centre for Information Rights and questions whether those of us who are information practitioners are helping or hindering attempts to protect the vulnerable.
Back at the end of April I attended a seminar hosted by the University of Winchester’s excellent new Centre for Information Rights. The title for the seminar was “Data Sharing and the Vulnerable”, and given recent scandals around Jimmy Savile and Winterbourne View, it was timely.
The first speaker was Sue Gold, who is a solicitor with Osborne Clarke, but had previously worked for the Disney Corporation. Sue highlighted the difficulties not so much of sharing data, but of collecting data – specifically from children. If you asked most organisations whether they collect data from children, their automatic response would be no. But Sue pointed out that most websites will, even if their owners don’t intend them to, at some point collect data (eg registration data) from those who are much younger than their target audience. Most companies have some form of “age gating” to try to prevent children accessing products or services, but as Sue demonstrated, very few – if any – of these are effective. Frankly if you can think of a way to prevent children from accessing your site, they will have already thought of a way to bypass it. And if you have a system that requires parental consent…well, you probably remember what happened when you had to get someone to sign your homework diary.
This was followed by Helen James, Winchester’s Head of Law, who talked about the limitations of the UK’s whistleblowing legislation in a culture where 80% of nurses in a survey thought they would be victimised if they blew the whistle on their employer. Helen pointed out that there are hints that the mood is changing following Winterbourne View and the Mid-Staffordshire NHS Foundation Trust inquiry.
Finally, Jerry Brady of Dorset County Council’s Children’s Services looked at information sharing in services for vulnerable children. Jerry pointed out that following the Laming Report into the circumstances surrounding the death of Victoria Climbie, there had been a new emphasis on the importance of sharing data to protect vulnerable children. The aim was to integrate services, but limited progress has been made, not least because of political arguments over information sharing. There has been a shift away from integration towards alignment of services.
One of the important points that Jerry made was that the key to ensuring that data is shared where it needs to be is the development of trust between frontline team members. Noticing that he hadn’t mentioned the role of data protection officers or information governance staff, I asked him what his experience of working with information professionals was. His response was a little disheartening for me as one of those information professionals. His experience has been that if you ask an information professional for advice, you get an information professional’s answer – a cautious one. This isn’t helpful for frontline staff who need to feel confident that they are doing the right thing.
But Jerry was far from dismissive of data protection. One of his 7 golden rules for information sharing is:
“Remember that the Data Protection Act is not a barrier to sharing information but provides a framework to ensure that personal information about living persons is shared appropriately.”
Information sharing is very contentious. This week we’ve been hearing about data sharing in a very different context – between technology companies and the US security services. Not so long ago we were debating whether GPs’ surgeries should be sharing data with the Health and Social Care Information Centre. All of this adds to the difficulty for us as supposed “experts” when asked to advise whether data sharing is appropriate, even in circumstances where there seem clear benefits for data subjects. I know from my own experience how difficult it can be to balance my own concerns with data protection compliance (which is after all the expertise I’m paid for) with the desire to help an employer achieve its – usually well-intentioned – aims. But it seems to me that if practitioners like me are seen by Jerry and his peers as being barriers to protecting the vulnerable, then we need to find a better way of working.
Agreed. The information professional in these areas needs to go beyond giving ‘advice’. Confidence of frontline staff is engendered by authorising what they need to do, not by saying : “these are the issues, these are the risks, make your own minds up”. The risk should be managed and ultimately accepted / mitigated / avoided by the professionals working within a structured governance framework : asset owner – professional – SIRO.
… which is not to say of course that they will not need to make day to day decisions – they will, but within a clear framework of authority and guidance.
The ‘cautious’ answer isn’t likely to be any more legally correct. My employers always encouraged me to say ‘yes’ to data sharing when it was justifiable, so I did. Blaming only the info professional is unreasonable – lawyers and managers need guts as well.
The government has recently published a review by Dame Fiona Caldicott which discusses information sharing vs protection
I disagree, in some circumstances.
When I’m being asked for my opinion it is often the case that the issue is not black and white enough to say definitely yes or definitely no. Particularly when considering sharing of PD, there is the balancing act between what is wanted, risk and legitimate business need. My job is to analyse these and provide the manager with the options, it is their job (for which they get paid a damn sight more money than me) to take responsiblity for picking a particular option.
The point about frontline staff I do agree with however, they do not get paid to make the kinds of assessment DP professionals or managers do and clarity can only make their job easier.