The calls come in a Data Sharing Review produced by Commissioner Richard Thomas and Dr Mark Walport, a director of the Wellcome Trust and member of the Government's Council for Science and Technology.
The report was commissioned by Prime Minister Gordon Brown in the immediate aftermath of the loss of records on 25 million people by HM Revenue and Customs last year.
The report recommends the extension of the powers of the Information Commissioner's Office (ICO) to allow it to inspect an organisation's data protection systems even against the will of that organisation.
In the aftermath of the HMRC scandal, Brown allowed the ICO the power to force inspection of public bodies' systems. Thomas has previously called for the extension of that power into the private sector.
"The key to effective enforcement lies in the regulator’s ability to undertake necessary investigations and inspections, so that regulatory failures can be identified and corrected," said the report. "In those cases where there is resistance the power to inspect will need mandatory back-up. Indeed, without an incentive or legal compulsion, it is doubtful that many organisations would want to take the risk of consenting to an inspection."
The report also says that the electoral register should not be for sale. Local authorities sell a version of the electoral roll to marketers, allowing people to opt out of inclusion on the version that is sold.
"We feel that selling the edited register is an unsatisfactory way for local authorities to treat personal information," said the report. "It sends a particularly poor message to the public that personal information collected for something as vital as participation in the democratic process can be sold to ‘anyone for any purpose’."
The report is the fifth following the HMRC scandal and other data losses by public bodies, including the Ministry of Defence.
Overall Walport and Thomas's Review argues that organisations have to transform the way they use and share personal information and points out that because public confidence in organisations’ ability to protect personal information had been seriously damaged, remedial measures were needed to restore trust in data sharing.
"Public confidence in how personal information is safeguarded is evaporating," Mark Walport, one of the authors of the Review, told OUT-LAW. We recommend that decisions should be made in the context of a clear statutory code of practice" linked to "stronger leadership and accountability in organisations that use and share personal information [and] to greater openness and transparency in the way our information is handled by others."
The report has asked that the Government implement its measures and report on its progress in 18 months' time.
"The research community will be happy that the Review has recommended the wider use of personal data for research purposes subject to certain security considerations and the Government will be pleased that they have been recommended a general order making power that facilitates data sharing, subject to consultation process with the ICO," said Dr Chris Pounder, a data protection specialist with Pinsent Masons, the law firm behind OUT-LAW.
"The Review has lot to commend it, but personally speaking I would have liked to see recommendations that empower the individual and Parliament to scrutinise data sharing policy, for example by making it easier for data subjects to object to some data sharing, or to strengthen the weak Parliamentary processes associated with the scrutiny of order making powers by Ministers, or to allow the Commissioner to challenge the actual orders through the Courts on the grounds that the order is an infringement of the human rights obligations," he said.
The Thomas / Walport recommendations
Recommendation 1: As a matter of good practice, all organisations handling or sharing significant amounts of personal information should clarify in their corporate governance arrangements where ownership and accountability lie for the handling of personal information.
Recommendation 2: As a matter of best practice, companies should review at least annually their systems of internal controls over using and sharing personal information; and they should report to shareholders that they have done so.
Recommendation 3: Organisations should take the following good-practice steps to increase transparency:
(b) Privacy Policies should state what personal information organisations hold, why they hold it, how they use it, who can access it, with whom they share it, and for how long they retain it.
(c) Public bodies should publish and maintain details of their data-sharing practices and schemes, and should record their commitment to do this within the publication schemes that they are required to publish under the Freedom of Information Act.
(d) Organisations should publish and regularly update a list of those organisations with which they share, exchange, or to which they sell, personal information, including ‘selected third parties’.
(e) Organisations should use clear language when asking people to opt in or out of agreements to share their personal information by ticking boxes on forms.
(f) Organisations should do all they can (including making better use of technology) to enable people to inspect, correct and update their own information – whether online or otherwise.
Recommendation 4: All organisations routinely using and sharing personal information should review and enhance the training that they give to their staff on how they should handle such information.
Recommendation 5: Organisations should wherever possible use authenticating credentials as a means of providing services and in doing so avoid collecting unnecessary personal information.
Recommendation 6: Any changes to the EU Directive will eventually require changes to the UK’s Data Protection Act. We recognise that this may still be some years away, but we nonetheless recommend strongly that the Government participates actively and constructively in current and prospective European Directive reviews, and assumes a leadership role in promoting reform of European data law.
Recommendation 7(a): New primary legislation should place a statutory duty on the Information Commissioner to publish (after consultation) and periodically update a datasharing code of practice. This should set the benchmark for guidance standards.
Recommendation 7(b): The new legislation should also provide for the Commissioner to endorse context-specific guidance that elaborates the general code in a consistent way.
Recommendation 8(a): Where there is a genuine case for removing or modifying an existing legal barrier to data sharing, a new statutory fast-track procedure should be created. Primary legislation should provide the Secretary of State, in precisely defined circumstances, with a power by Order, subject to the affirmative resolution procedure in both Houses, to remove or modify any legal barrier to data sharing by:
- repealing or amending other primary legislation;
- changing any other rule of law (for example, the application of the common law of confidentiality to defined circumstances); or
- creating a new power to share information where that power is currently absent.
Recommendation 8(b): Before the Secretary of State lays any draft Order before each House of Parliament, it should be necessary to obtain an opinion from the Information Commissioner as to the compatibility of the proposed sharing arrangement with data protection requirements.
Recommendation 9: The regulations under section 55A of the Data Protection Act setting out the maximum level of penalties should mirror the existing sanctions available to the Financial Services Authority, setting high, but proportionate, maxima related to turnover.
Recommendation 10: The Government should bring the new fine provisions fully into force within six months of Royal Assent of the Criminal Justice & Immigration Act, that is, by 8 November 2008.
Recommendation 11: We believe that as a matter of good practice, organisations should notify the Information Commissioner when a significant data breach occurs. We do not propose this as a mandatory requirement, but in cases involving the likelihood of substantial damage or distress, we recommend the Commissioner should take into account any failure to notify when deciding what, if any, penalties to set for a data breach.
Recommendation 12: The Information Commissioner should have a statutory power to gain entry to relevant premises to carry out an inspection, with a corresponding duty on the organisation to co-operate and supply any necessary information. Where entry or cooperation is refused, the Commissioner should be required to seek a court order.
Recommendation 13: Changes should be made to the notification fee through the introduction of a multi-tiered system to ensure that the regulator receives a significantly higher level of funding to carry out his statutory data-protection duties.
Recommendation 14: The regulatory body should be re-constituted as a multi-member Information Commission, to reinforce its status as a corporate body.
Recommendation 15: ‘Safe havens’ should be developed as an environment for population-based research and statistical analysis in which the risk of identifying individuals is minimised; and furthermore we recommend that a system of approving or accrediting researchers who meet the relevant criteria to work within those safe havens is established. We [Thomas / Walport] think that implementation of this recommendation will require legislation, following the precedent of the Statistics and Registration Service Act 2007. This will ensure that researchers working in ‘safe havens’ are bound by a strict code, preventing disclosure of any personally identifying information, and providing criminal sanctions in case of breach of confidentiality.
Recommendation 16: Government departments and others wishing to develop, share and hold datasets for research and statistical purposes should work with academic and other partners to set up safe havens.
Recommendation 17: The NHS should develop a system to allow approved researchers to work with healthcare providers to identify potential patients, who may then be approached to take part in clinical studies for which consent is needed.
Recommendation 18: The Government should commission a specific enquiry into on-line services that aggregate personal information, considering their scope, their implications and their regulation.
Recommendation 19: The Government should remove the provision allowing the sale of the edited electoral register. The edited register would therefore no longer serve any purpose and so should be abolished. This would not affect the sale of the full register to political parties or to credit reference agencies.