WRITTEN ON July 11th, 2008 BY William Heath AND STORED IN Data nitwittery, Foundation of Trust, Identity, Transformational Government, What do we want?

Walport review is out – summary recommendations below:

Developing culture

Recommendation 1: As a matter of good practice, all organisations handling or sharing significant amounts of personal information should clarify in their corporate governance arrangements where ownership and accountability lie for the handling of personal information.

Recommendation 2: As a matter of best practice, companies should review at least annually their systems of internal controls over using and sharing personal information; and they should report to shareholders that they have done so.

Recommendation 3: Organisations should take the following good-practice steps to increase transparency:
(a) Fair Processing Notices should be much more prominent in organisations’ literature, both printed and online, and be written in plain English. The term ‘Fair Processing Notice’ is itself obscure and unhelpful, and we recommend that it is changed to ‘Priva
(b) Privacy Policies should state what personal information organisations hold, why they hold it, how they use it, who can access it, with whom they share it, and for how long they retain
(c) Public bodies should publish and maintain details of their data-sharing practices and schemes, and should record their commitment to do this within the publication schemes that they are required to publish under the Freedom of Information Act.
(d) Organisations should publish and regularly update a list of those organisations with which they share, exchange, or to which they sell, personal information, including ‘selected third p
(e) Organisations should use clear language when asking people to opt in or out agreements to share their personal information by ticking boxes on forms.
(f) Organisations should do all they can (including making better use of technology) to enable people to inspect, correct and update their own information – whether online or otherwise.

Recommendation 4: All organisations routinely using and sharing personal information should review and enhance the training that they give to their staff on how they should handle such information.

Recommendation 5: Organisations should wherever possible use authenticating credentials as a means of providing services and in doing so avoid collecting unnecessary personal information.

The legal framework

Recommendation 6: Any changes to the EU Directive will eventually require changes to the UK’s Data Protection Act. We recognise that this may still be some years away, but we nonetheless recommend strongly that the Government participates actively and constructively in current and prospective European Directive reviews, and assumes a leadership role in promoting reform of European data law.

Recommendation 7(a): New primary legislation should place a statutory duty on the Information Commissioner to publish (after consultation) and periodically update a data-sharing code of practice. This should set the benchmark for guidance standards.

Data Sharing Review

Recommendation 7(b): The new legislation should also provide for the Commissioner to endorse context-specific guidance that elaborates the general code in a consistent way.

Recommendation 8(a): Where there is a genuine case for removing or modifying an existing legal barrier to data sharing, a new statutory fast-track procedure should be created. Primary legislation should provide the Secretary of State, in precisely defined circumstances, with a power by Order, subject to the affirmative resolution procedure in both Houses, to remove or modify any legal barrier to data sharing by:
• repealing or amending other primary legislation;
• changing any other rule of law (for example, the application of the common law of confidentiality to defined circumstances); or
• creating a new power to share information where that power is currently absent.

Recommendation 8(b): Before the Secretary of State lays any draft Order before each House of Parliament, it should be necessary to obtain an opinion from the Information Commissioner as to the compatibility of the proposed sharing arrangement with data protection requirements.

The regulatory body

Recommendation 9: The regulations under section 55A of the Data Protection Act setting out the maximum level of penalties should mirror the existing sanctions available to the Financial Services Authority, setting high, but proportionate, maxima related to turnover.

Recommendation 10: The Government should bring the new fine provisions fully into force within six months of Royal Assent of the Criminal Justice & Immigration Act, that is, by 8 November 2008.

Recommendation 11: We believe that as a matter of good practice, organisations should notify the Information Commissioner when a significant data breach occurs. We do not propose this as a mandatory requirement, but in cases involving the likelihood of substantial damage or distress, we recommend the Commissioner should take into account any failure to notify when deciding what, if any, penalties to set for a data breach.

Recommendation 12: The Information Commissioner should have a statutory power to gain entry to relevant premises to carry out an inspection, with a corresponding duty on the organisation to co-operate and supply any necessary information. Where entry or co-operation is refused, the Commissioner should be required to seek a court order.

Recommendation 13: Changes should be made to the notification fee through the introduction of a multi-tiered system to ensure that the regulator receives a significantly higher level of funding to carry out his statutory data-protection duties.

Recommendation 14: The regulatory body should be re-constituted as a multi-member Information Commission, to reinforce its status as a corporate body.

Research and statistical analysis

Recommendation 15: ‘Safe havens’ should be developed as an environment for population-based research and statistical analysis in which the risk of identifying individuals is minimised; and furthermore we recommend that a system of approving or accrediting researchers who meet the relevant criteria to work within those safe havens is established. We think that implementation of this recommendation will require legislation, following the precedent of the Statistics and Registration Service Act 2007. This will ensure that researchers working in ‘safe havens’ are bound by a strict code, preventing disclosure of any personally identifying information, and providing criminal sanctions in case of breach of confidentiality.

Recommendation 16: Government departments and others wishing to develop, share and hold datasets for research and statistical purposes should work with academic and other partners to set up safe havens.

Recommendation 17: The NHS should develop a system to allow approved researchers to work with healthcare providers to identify potential patients, who may then be approached to take part in clinical studies for which consent is needed.

Safeguarding and protecting publicly available information

Recommendation 18: The Government should commission a specific enquiry into on-line services that aggregate personal information, considering their scope, their implications and their regulation.

Recommendation 19: The Government should remove the provision allowing the sale of the edited electoral register. The edited register would therefore no longer serve any purpose and so should be abolished. This would not affect the sale of the full register to political parties or to credit reference agencies.

We strongly commend these recommendations to the Government and we look forward to a timely response. In particular we would like the Government, as part of its response, to set out a clear timetable for implementation and to report on progress in eighteen months time.