Tag Archive for Data sharing

Is a disproportionate fear of “Big Brother” preventing us from seeing the big picture?

FOI Man asks if we’re in danger of throwing the baby out with the bathwater through an increasingly negative portrayal of the use of personal data.

It’s easy to see why many of us have concerns over the possibility of the security services accessing our email or listening in to our phone calls. What I’m increasingly worried about is what appears to be a widely held and instinctive view that any sharing of personal data – and even data that has been anonymised – is necessarily a “bad thing”.

The Liberal Democrats in particular were highly critical of the last government’s use of technology. One development which David Laws, now a Minister, criticised as “intrusive” was a national database called ContactPoint. It had been developed as a result of a recommendation by Lord Laming in his report on the death of Victoria Climbie. It allowed doctors, social workers and police to access details of any child, thereby helping to prevent situations where abuse of children went undiscovered because of poor communication between these services. When the current Government came to power, the system was scrapped.

The last government also tried to introduce central medical records for all NHS patients, which would mean that when you turned up at a hospital far from home, as I have done myself, doctors would have access to your medical records and history. Believe me, when you are in pain and desperate to be treated, the last thing that you want to do is to answer questions about your medical history. And that’s if you are in a position to answer those questions. This project was scuppered by its complexity and expense fundamentally, but there was a big campaign by critics to encourage patients not to allow their doctor to upload their details.

One aspect of recent NHS reforms is that GPs will be asked to share data about their patients’ care with a central body called the Health and Social Care Information Centre. Patients can choose to opt out if they wish by writing to their GP. The data will be shared with approved partners, for example the Department of Health. It will be used, for example, by medical researchers trying to find out what treatments are effective. The data is invaluable to such researchers – it could well save more lives than donating organs or the odd litre of blood. It will normally be shared in anonymised form unless the research concerned requires more information to be effective.

There has been the predictable outcry against this. And that’s really my point. It has become fashionable to criticise any sharing of personal data, even if anonymised, no matter what the purpose. It’s all about big brother.

I can understand some of the concerns. There are risks in building up big central datasets. There are lots of stories of individuals abusing access to personal data. Police workers who misuse the Police National Computer to check up on a neighbour, or GPs’ receptionists who read their ex-husband’s new wife’s medical records. But firstly, where this is discovered staff can be – and should be – disciplined and/or prosecuted. Protection of this data is what the Data Protection Act is all about, and breaches should be taken seriously. And secondly – we’re surely not saying that the Police National Computer should be shut down as a result of breaches. The greater good of being able to solve crimes through linking a large pool of data is generally accepted as justification. Indeed police were criticised following the Soham murders for not keeping data on there. Instead what we really want is a proportionate use of this data, and for effective safeguards to be put in place.

One popular claim is that there is no such thing as “anonymised data”. Academic studies are widely cited showing that it is possible to identify individuals within large datasets. However, what isn’t so widely reported is that there are other academics who argue that there are deficiencies in those studies and that they are, in any case, being misreported.

As a Data Protection Officer (as well as an FOI Officer), I would certainly want any organisation to assess the impact on individuals’ privacy of any proposed plan involving their personal data. I would expect them to consider which condition of the Data Protection Act justified this processing of the data. But it does worry me that we seem to be moving to a position where we assume that any processing of our data must be wrong by its very nature. Where organisations are discouraged from innovating or using data to potentially save lives because there is a risk, however small, that an individual might be identified (and an even smaller risk that that would actually have any real impact on the individual concerned).  What’s more, because this has become a political issue, there are few in government now prepared to champion the use of personal data for the benefit of all.

In my view, the current trend is damaging. If we continue to portray all use of personal data as wrong, it will become more and more difficult to offer public as well as private sector services. It will certainly become more difficult to improve them. Contributing personal data to society is at least as important as paying our way financially. Data Protection shouldn’t be about saying “no” all the time.

 

 

Do information practitioners need to get out of the way?

FOI Man reviews a seminar hosted by the University of Winchester’s Centre for Information Rights and questions whether those of us who are information practitioners are helping or hindering attempts to protect the vulnerable.

Back at the end of April I attended a seminar hosted by the University of Winchester’s excellent new Centre for Information Rights. The title for the seminar was “Data Sharing and the Vulnerable”, and given recent scandals around Jimmy Savile and Winterbourne View, it was timely.

The first speaker was Sue Gold, who is a solicitor with Osborne Clarke, but had previously worked for the Disney Corporation. Sue highlighted the difficulties not so much of sharing data, but of collecting data – specifically from children. If you asked most organisations whether they collect data from children, their automatic response would be no. But Sue pointed out that most websites will, even if their owners don’t intend them to, at some point collect data (eg registration data) from those who are much younger than their target audience. Most companies have some form of “age gating” to try to prevent children accessing products or services, but as Sue demonstrated, very few – if any – of these are effective. Frankly if you can think of a way to prevent children from accessing your site, they will have already thought of a way to bypass it. And if you have a system that requires parental consent…well, you probably remember what happened when you had to get someone to sign your homework diary.

This was followed by Helen James, Winchester’s Head of Law, who talked about the limitations of the UK’s whistleblowing legislation in a culture where 80% of nurses in a survey thought they would be victimised if they blew the whistle on their employer. Helen pointed out that there are hints that the mood is changing following Winterbourne View and the Mid-Staffordshire NHS Foundation Trust inquiry.

Finally, Jerry Brady of Dorset County Council’s Children’s Services looked at information sharing in services for vulnerable children. Jerry pointed out that following the Laming Report into the circumstances surrounding the death of Victoria Climbie, there had been a new emphasis on the importance of sharing data to protect vulnerable children. The aim was to integrate services, but limited progress has been made, not least because of political arguments over information sharing. There has been a shift away from integration towards alignment of services.

One of the important points that Jerry made was that the key to ensuring that data is shared where it needs to be is the development of trust between frontline team members. Noticing that he hadn’t mentioned the role of data protection officers or information governance staff, I asked him what his experience of working with information professionals was. His response was a little disheartening for me as one of those information professionals. His experience has been that if you ask an information professional for advice, you get an information professional’s answer – a cautious one. This isn’t helpful for frontline staff who need to feel confident that they are doing the right thing.

But Jerry was far from dismissive of data protection. One of his 7 golden rules for information sharing is:

“Remember that the Data Protection Act is not a barrier to sharing information but provides a framework to ensure that personal information about living persons is shared appropriately.”

Information sharing is very contentious. This week we’ve been hearing about data sharing in a very different context – between technology companies and the US security services. Not so long ago we were debating whether GPs’ surgeries should be sharing data with the Health and Social Care Information Centre. All of this adds to the difficulty for us as supposed “experts” when asked to advise whether data sharing is appropriate, even in circumstances where there seem clear benefits for data subjects. I know from my own experience how difficult it can be to balance my own concerns with data protection compliance (which is after all the expertise I’m paid for) with the desire to help an employer achieve its – usually well-intentioned – aims. But it seems to me that if practitioners like me are seen by Jerry and his peers as being barriers to protecting the vulnerable, then we need to find a better way of working.