“The award winners ranged from Shelter, the housing advice organisation, to Transport Direct (www.transportdirect.info)…”

It says something about government IT when Transport Direct wins an award despite its dreadful service (which is now linked to NHS Choose & Book)!

Douwe Korff, Professor of International Law
at London Metropolitan University writes:

the government has found this one case of the bereaved family that had to give their basic data 43 times, and now uses that to argue that all sorts of (all!) data should be shared by any public body for any purpose. this isnt logic, it is politics. it would be useful to draw up some opposite scenarios to counter this propaganda.

politics and pr aside, two points:

first of all, is there a case for establishing a central database, for use by all government departments (and private bodies?) of very basic data on every legal resident in the uk? name, [latest, up to date] address, dob?
what are the arguments against that? that (a) more data would be added, like nat ins nr or a new “general identifier” – and (b) that that
*automatically* will allow data sharing of further data that can be accessed through this (either through the basic data or through such a nr)? are there good technical ways of preventing that? do remember that in (i guess) at least 24 of the other eu states there is a central population register. activists are going to find it very difficult to argue that the very existence (or here, creation) of these registers is unacceptable – the eur court of hr is not going to hold that this in itself violates the convention. it will focus on the safeguards.

secondly,what should the rules be for the provision (sharing) of more than basic data, either between public bodies or between public and private bodies (either way)? here, the basic rules are well-established: data obtained by one entity for one purpose can only be disclosed by that entity to another entity for another purpose if certain conditions are met: broadly speaking, it must either be authorised by law or based on the consent of the data subject AND the disclosure, and the data that are disclosed, must be “necessary” for the second purpose, AND (in principle) the data subject (if he didnt already consented) must be informed and must be able to object.

there are some further clarifications to be added:

1. just basing something on a law (or statutory instrument) isnt good enough: even the legislator may only authorise data sharing when this is “necessary” for a clearly-defined purpose;

2. the purposes (primary and secondary) must be tightly defined: not “for police purposes” or “for medical purposes” but “to prevent crime”, “to apprehend an offender”, “to diagnose and treat a patient”, “to carry out medical research” etc;

3. the term “necessary” imposes a relatively strict test;

4. whether the requirement is met should be justiciable: there must be an effective remedy available to the data subjects if they feel the sharing is not “necesssary”;

5. there are dozens of loopholes in the uk data protection act — BUT many of those contravene european law and can thus be challenged and (ultimately, in xx years time) ruled to be unlawful;

6. the government ignores point (5) (and thus the others) …

hope this helps –

While being joined-up may offer a real advantage to governments departments, the privacy risks to the rest of us are even greater and until the public sector can demonstrate a rather better track record of success with personal data than it has in the past I think I’ll support my spooky friend in believing that some things are best left alone if we are not to plunge headlong into Big Brother’s vision of a joined-up future that I want no part in.

I see he’s also a Pandora fan (email me if you want to be invited to William’s soul station).