Plans to increase the UK government’s access to citizens' private records without the public’s consent should be subject to greater oversight, head of the Information Commissioner’s Office Elizabeth Denham has told MPs.
In an evidence hearing with MPs on Thursday, she was addressing the proposals made in part five of the Digital Economy Bill that allow government departments to better share citizens’ information between themselves.
By more freely spreading around people's data between the Office for National Statistics, Whitehall departments, and local authorities, the government intends to combat issues such as public sector fraud and fuel poverty. However, the proposals have been criticised by academics and MPs as lacking detail.
Denham said: “I think if you are not using consent as a basis for sharing information – as in the case here – then other obligations arise: the need for transparency, the need for safeguards, the need for scrutiny and need for Parliamentary oversight ... [They] are even more important when you are not relying on consent ... so those other obligations need to be strengthened.”
She added: “What would help this bill is if there was a reference to following our privacy note of practice which is across the public and private sector, and I think it would lend more trust to the public.”
Her concerns echo those of other witnesses asked to give evidence on the bill.
Technologist Jerry Fishenden wrote in his written submission about the bill that while some welcome provisions were made, such as making data breaches a criminal offence, its proposals with regards to “data sharing” contain no definition of this term.
“When it talks of 'disclosing' personal data to gas and electricity suppliers, for example (para 30, p.29), it contains no details of what personal information might be disclosed or how. There is none of the legal or technical detail essential to ensure data security, the ethical use of data, and the necessary trust framework essential to protect the rights, privacy and security of citizens,” Fishenden writes.
“In an increasingly digital economy, expanding the number of people and organisations with access to citizens’ personal data – much of it sensitive, such as details of disabilities, relationships, income, welfare status and health – is likely to increase the risk of fraud, not reduce it.
“Such threats are at least as likely from insiders as from outside.”
Failure to get those proposals right could lead to another Care.data fiasco, he said. “It’s essential that the same mistake is not made by rushing through into law a form of 'data sharing' that seeks to implement a similar model across the public sector on a much larger scale.”
Mike Bracken, former head of the Government Digital Service, also argued earlier this week about the thinking behind the proposals. He said: “I have doubts about our overall data sharing operation simply because government is so distributed and there is so much data,” he said.
“Adding more sharing without a clear landscape under which that’s happening seems to add more risk of privacy violation, and more risk of security. Perhaps a way to think about it is access rather than sharing. Many government departments are able to provide individual data points, at point of request, to people who trust them.” ®