The powers of Government to share data will be increased under new laws announced yesterday. Legislation will introduce a fast-track procedure to allow data sharing whenever "a robust case" can be made for sharing, said a Ministry of Justice report. The report also made clear that the UK will not introduce a security breach notification law.
Another report published by the Ministry of Justice yesterday gave the Information Commissioner's Office (ICO) new inspection powers, though not the powers that the Commissioner had asked for. It also changed the ICO's funding arrangements which will lead to increased compliance costs for large businesses. (See: ICO to get powers to audit public bodies without consent, OUT-LAW News, 25/11/2008)
Response to the data sharing review report
In July, Information Commissioner Richard Thomas and Dr Mark Walport, a director of the Wellcome Trust, published a report on data sharing that had been commissioned by the Prime Minister in October 2007. Their report made recommendations for cultural and regulatory changes. The Government responded to those recommendations yesterday.
The Ministry of Justice said in its Response to the Data Sharing Review Report (28-page / 170KB PDF) that new laws will be introduced to facilitate data sharing.
"The Government will bring forward primary legislation to place a statutory duty on the ICO to prepare, publish and review a code on the sharing of personal data (the Code)," said the report.
The Code will provide guidance on how organisations can share personal data and promote good practice in the sharing of personal data.
"A breach of, or compliance with, the Code will be taken into account by the courts, the Information Tribunal and the ICO whenever it is relevant to a question arising in legal or enforcement proceedings," it said.
The report said legislation does not provide a barrier to the sharing of personal data in most cases. "There are occasions when the requirement to share data should be put into primary legislation," it said. "Where this is evident, primary legislation should be sought as appropriate," it said.
"There will be times, however, when Government will seek to introduce data sharing arrangements as part of a package of measures to deliver a policy and a fast-track process would be more appropriate," it said.
"Government will legislate to create a gateway for data sharing powers, which will be subject to the Parliamentary Affirmative Resolution procedure. This will create a more streamlined process, retaining the element of parliamentary scrutiny to ensure transparency in data sharing policy and ensuring such power is proportionate," said the report.
Legislation will give the Secretary of State a power to allow data sharing without barriers whenever "a robust case" can be made.
"We intend to bring forward legislation to confer upon the Secretary of State a power to permit or require the sharing of personal information between particular persons or bodies, so long as a robust case can be made to use that power," said the report. "The power will also be used to simplify the data protection framework and remove any unnecessary obstacles to data sharing."
The report also calls for transparency in data sharing. "All organisations should proactively publish details of their data sharing practices and schemes," it said.
Civil penalty powers for the ICO
The ICO was recently given new powers to fine companies for certain breaches of data protection law. The Government said it hopes to bring these powers into force shortly.
The powers allow the Information Commissioner to issue a civil monetary penalty for serious breaches of the data protection principles which are likely to cause substantial damage or distress.
The powers became part of the Data Protection Act in May, when a new section 55A was inserted by the Criminal Justice and Immigration Act of 2008. But some details have still to be published. Yesterday's report neither confirmed when the powers will come into force nor set a maximum level for fines.
Instead, the report said only that "the maximum level of penalties should mirror the existing sanctions available to the Financial Services Authority, setting high, but proportionate, maxima related to turnover."