Monday 29 March 2010

(When) should authorities share personal information?

There are some people I know who would prefer to share their last Rolo with a business partner rather than share any personal information. Or share the personal information of the people whose details have been entrusted to them.

Does this actually make sense – especially within the public sector, when most ordinary citizens would be mortified to learn of some of the barriers to data sharing that have been created by some of the public sector data barons? Is this because they sincerely believe that the law does not allow them, a respectable public authority, to share information with another respectable public authority? Or is it because they are afraid of the consequences of losing control of that precious information? Or that they have been paralysed by fear of retribution should a data sharing agreement go wrong, resulting in a breach (by someone else) of the very same information that they passed to the that other authority? Or is it that they are on some ego trip where, as masters of their particular universe, they just can’t be bothered to help another authority?

These were some of the issues that were considered by a group of people who were brought together today to consider the vexed matter of whether information sharing should be more forcefully encouraged. Somewhat appropriately, the meeting was held in the palatial surroundings of the Wellcome Trust along Euston Road. For those who love ironies, that organisation is a global charity dedicated to achieving extraordinary improvements in human and animal health. It shares information about treating the diseases that were originally shared between the patients.

I won’t bore you with details of the proceedings of the event, as it’s an issue that I’m sure will keep me and fellow bloggers occupied for many months to come. But I do want to make just a couple of points at this stage. A point about culture and a second, more fundamental point, about the nature of the information that may be shared by consenting authorities in the first place.

First, culture. I think that everyone present today agreed that the problem that faced authorities when deciding whether to associate themselves with a data sharing initiative wasn’t necessarily the law. That can always be changed – and in any case is often quite out of date, as it was created to respond to a set of situations that may no longer exist. Just because a law did not explicitly provide for information to be shared, it didn’t necessarily mean that authorities didn’t have the right, if they chose to exercise a bit of common sense, to participate in a data sharing initiative – especially if it seemed like quite a sensible thing to do. The key brake to the development of data sharing initiatives could me more to do with culture – the culture either of the authority in general, or the culture of the “data protection” or “legal” guru within the authority. These gurus could frequently punch above their weight, as data protection is often dressed up as a dark, complicated and precise science, just like accountancy.

But it needn’t be that complicated, especially if you strip the issues back to their basic principles. However, the holders of the data protection grail, so to speak, have been known to communicate in hushed tongues and use language that hardly anyone else understands, and that can confuse the followers. Who else uses phrases like “transborder data flows”, or “breach notification requirements”? Homer Simpson certainly doesn’t.

But “cultural change” requires a change in people’s attitudes. And that means a change in the way our chums in Wilmslow promote data sharing initiatives. Take a look at the last crop of their press releases. Most of them refer to mistakes – and the dire consequences which flow to those responsible for them. Very few applaud new initiatives. There’s not much of an encouragement – perhaps if data controllers thought it was ok to experiment – and occasionally fail – a new attitude might prevail. “Yes we can.” That’s a good phrase. Not sure if it will catch on in Blighty, though.

Second, personal information. What surprises me is the extent to which so many agencies try and place barriers between those who need, for perfectly honourable intentions, to share information that’s already in the public domain. Names and addresses are on the electoral register. Criminal convictions are published by courts. So if it’s acceptable to visit libraries and courts, and copy out in long hand details of people’s names and addresses, and their criminal convictions, they are so many barriers placed in front of those who wish to share the information electronically?

If the Parliamentary authorities really knew where people like Baroness Uddin lived, then there wouldn’t be so much confusion about whether she was entitled to draw over £100,000 from the public purse, claiming entitlement to certain allowances, to maintain her opulent lifestyle. Today’s “The Times” reported that “the Crown Prosecution Service announced yesterday that it could not bring criminal charges against Baroness Uddin, a Labour peer who received more than £100,000 in allowances by claiming that her main residence was outside London. Her family home is in Wapping, East London, where she has lived for more than a decade.” Or, taking another example, the paper also reported that, “the Labour peer and donor Lord Paul revealed this week that he would not be prosecuted either. He was investigated by police after he admitted that he never slept in the property outside London he called his main home.”

But enough of the Peers, who can surely look after themselves. I’m more worried about the people. And I would cheerfully bet my last Rolo that they are amazed that public authorities find it hard to share details each another (and private authorities for that matter, too). When my mum dies, I want to be able to tell some public official about it, once. I really don’t want to be expected to get a dozen death certificates and send them to a bunch of different public agencies. Similarly, (and before she dies) when she moves, it would be nice if she could just register the new address once. And let that organisation share that news with the authorities that matter – like the local council, NHS, Meals on Wheels, Equifax, British Telecom, British Gas, Police National Computer, TV licence authority, National Identity & Passport Service, HM Revenue & Customs. And, while they're at it, her bank, Facebook, Bebo, Mashi Monsters and LinkedIn etc, etc. Why feel obliged to do it so often when conceivably you could just do it the once?

Will it ever happen? Possibly not in her lifetime. Or in mine.

But perhaps, in someone’s.