Memorandum submitted by the Ministry of
1. The Ministry of Justice (MoJ) is responsible
for the Government's domestic, European and international policy
on data protection and data sharing. This memorandum covers the
issues relating to the collection and sharing of personal information
and the safeguards provided by the Data Protection Act 1998 (DPA)
and other legislation. It also covers the duties and powers of
the Information Commissioner to regulate the processing of personal
data under the DPA.
2. The Government published its "Information
Sharing Vision Statement"
in September 2006. This highlighted some of the ways information
is already being shared effectively within the public sector and
stated the Government's intention to continue to share information
to deliver better services, fight crime and protect public security.
The vision recognises that the sharing of personal information
must be carried out transparently and with proper safeguards.
Within that context the MoJ works with departments to develop
policies and deal with data sharing and data protection issues.
3. The social and technological advancements
of recent years have given citizens greater expectations and opportunities
than ever before. They can expect tailored services from the private
sector as well as personalised services from government agencies.
In order to achieve this the effective and proper use of personal
information is needed.
4. Citizens rightly expect that when providing
personal information to facilitate the delivery of modern public
services and to ensure public safety, that their personal data
is secured properly and used appropriately. For example they should
expect to see greater individual security through the reduction
in crime without unnecessary impingements on their individual
privacy or freedoms. The Government's aim is to make sure that
information is only shared when there is a benefit to the public
and that any information sharing is lawful.
5. Responsible information sharing ensures
that citizens have a say in how their personal information is
shared among service providers. Efficient use of this information
will, for example, avoid citizens having to give repeatedly the
same information to a range of service providers.
6. There is a general recognition across
the public sector of the potential to deliver more efficient and
effective public services, and bring benefits to society as a
whole, through better use and sharing of information, within appropriate
legal constraints. A MORI survey
conducted in March this year indicated that the public is willing
to give out personal information to Government and allow it to
be shared if there is a clear benefit to be gained by information
7. For example, earlier this year, the Department
for Work and Pensions (DWP), Her Majesty's Revenue and Customs
(HMRC) and local authorities in North Tyneside worked jointly
in a trial to speed up the processing of benefits and tax credits
to customers in North Tyneside. During the trial the time taken
to get all benefits into payment when someone lost their job was
halved. The payment of tax credit was stopped more quickly, reducing
the possibility of overpayments. Additionally, when customers
started work and were entitled to tax credits, the information
sharing exercise meant that claimants were switched into the tax
credit system promptly. In July this year, the trial was extended
to a further six local authorities.
8. Furthermore, in order to prevent and
detect crime effectively, including terrorism, the police and
other public services can often benefit from access to a variety
of sources of data held by the private sector, public authorities
and organisations that deliver public functions.
9. Advances in technology have been taken
up by the private sector to change the way that commercial services
are delivered. As a result, citizens also expect public services
to be better tailored to their needs, more joined up, and for
their personal information to be better protected. New technologies
have made possible innovative developments in the public sector
such as the Police National Database which, with proper use, will
help tackle crime and build public confidence.
10. In Sir David Varney's report
on service transformation, he identified that citizens currently
have to report a single change of circumstances to Government
many times over. In one instance, bereavement, he identified some
44 different public sector agencies that had to be informed. Sir
David recommended a service be developed that would enable members
of the public to report changes of circumstances such as births,
deaths, and changes of address to Government just once. This information
would then be stored in and shared between IT systems designed
with inbuilt security and with security of physical access, including
specialist training and security checks for staff access.
suggests that the public is willing to give out personal information
to Government and allow it to be shared if there is a clear benefit
to be gained. Improved services are seen as providing a clear
benefit but public concerns still remain about the way that information
can and should be shared across Government, the wider public sector
and with private organisations.
12. Society is rightly concerned that these
new developments are being used lawfully and appropriately, with
due regard for individual privacy, freedoms and rights. The challenge
is to achieve the balance between delivering improved services
through better information sharing and protecting the privacy
of the citizen from unnecessary intrusion.
13. The Government is therefore committed
to ensuring that information sharing is undertaken in a transparent
and controlled manner, with legal and process controls in place
to ensure that information is not shared inappropriately or disproportionately.
Once information has been collected, the Government is very careful
in ensuring that sharing can only take place when it is not incompatible
with the original purpose of collection. It is important that
the data is adequate, relevant and not excessive for the purposes
of sharing and that it is kept only for as long as is necessary
for the sharing. These are important protections within the DPA
and the European Directive which the DPA implements. The public
needs to be satisfied that a proper balance is maintained between
the benefits of sharing information and the right to privacy.
14. The Government consults widely on its
policy and legislative proposals, affording the public and stakeholders
the opportunity to voice their opinions and concerns in response.
The Government also ensures that frontline practitioners and the
public are aware of legislative effects through guidance, public
awareness campaigns, and official website postings.
15. The Government announced on 25 October
that it had invited Richard Thomas, the Information Commissioner
and Dr Mark Walport, the Director of the Wellcome Trust to undertake
an independent review of the way personal information is shared
and protected in the public and private sectors. The review will
assess whether in today's society it strikes the right balance
between giving people the protection they are entitled to, while
allowing them to make the most of the opportunities which are
being opened up the by the new information age. The report is
expected to be published in the first half of 2008.
16. The current legal framework for information
sharing is in our view responsive and robust enough to meet both
current and future needs. There is no single source of law that
regulates the powers that a public body has to use and share personal
information. The collection, use and disclosure of personal information
are governed by a number of different areas of law. In domestic
law, these include:
the law that governs the actions
of public bodies (administrative law);
the Human Rights Act 1998 (HRA) and
the European Convention on Human Rights (ECHR);
the common law tort of breach of
17. The DPA regulates the processing of
personal data, which is defined widely and includes the collection,
use, storage and distribution of personal data. The DPA implements
the Directive 95/46/EC on the protection of individuals with regard
to the processing of personal data and on the free movement of
such data and it is underpinned by the ECHR, particularly the
right to respect for a private and family life under Article 8,
which has been given direct effect in the UK by the Human Rights
Act (HRA). Neither the HRA nor the ECHR prevents the lawful and
proportionate sharing of data. Confidentiality is also not an
absolute bar to disclosure. At common law, or where there is a
statutory discretion to disclose, it may be possible to share
confidential information, for example where it is in the public
interest to do so.
18. Statutory bodies have to rely on express
or implied powers to share information while Ministers of the
Crown may also be able to rely on common law or prerogative powers.
However, where there is a relevant statutory provision occupying
the same ground, this may operate so as to exclude these common
law or prerogative powers.
19. Under the DPA, organisations and individuals
must comply with the data protection principles in order to process
personal data unless an exemption applies.
These principles include ensuring that data processing is fair
and lawful, that data are processed only for specified and lawful
purposes and that data are accurate.
Additionally the processing has to meet certain statutory conditions.
In many of these conditions it is a requirement that processing
be "necessary" for a particular function or purpose,
eg for the performance of a contract or to protect the vital interests
of the subject.
20. Where sensitive personal data is involved,
such as data related to political opinions or health, the processing
must also meet a further set of conditions, eg that the processing
is necessary for the administration of justice or for medical
21. Under the DPA, the Information Commissioner
is the UK's independent regulator.
22. The Commissioner promotes compliance
and good practice, and manages the data protection register and
notification by data controllers of details to be held on the
register, including the general purposes for which they will be
processing personal data. He enforces the DPA and other legislation
under which he has powers to act.
23. The Government always keeps under review
the mechanisms which regulate and protect the use of personal
information to ensure that they continue to protect the citizen
and help achieve the balance between sharing and protecting. The
MoJ and other Government Departments work closely with and consult
the Commissioner and have due regard for his views when developing
policy and legislative proposals.
24. The Commissioner's powers under the
DPA allow him to serve enforcement, information and special information
notices, and obtain warrants to enter premises to inspect, operate
and test equipment used for processing personal information. He
can also seize and inspect evidence of offences.
25. Under the DPA, the Commissioner presents
Parliament with an Annual Report on the exercise of his functions
under this Act. The powers of the Commissioner are kept under
continuous review and the Government will consider legislative
change wherever the case for additional regulatory control is
26. The Commissioner has other specific
or general powers that he can use under other legislation. For
example, in some circumstances he can use the "stop now"
powers under the Enterprise Act 2002.
27. Effective and appropriate information
sharing is not an end in itself. It is one of the foundations
for improving services across the public sector and increasing
public safety. Responsibility for developing and delivering individual
policies across the whole spectrum of government activity rests
with lead departments. The Ministry of Justice has a central role
in providing advice on policy and legislative proposals which
have an impact upon data protection and data sharing, and to help
ensure that all parts of government apply the legal framework
28. The Government considers and introduces
new data sharing provisions on a case-by-case basis. The data
sharing arrangements, including safeguards to protect the privacy
of individuals and their personal information, are designed specifically
around each policy, taking into account technological and social
issues relevant to that policy.
29. An example of these are the data sharing
provisions of the Serious Crime Act. The Home Office, in close
liaison with MoJ, formulated the data sharing provisions of the
Act to create a legal gateway through which public authorities
can share data for the purpose of preventing fraud, within a framework
of appropriate protections. The sharing enabled by the Act must
be compliant with the DPA and the Secretary of State is required
to produce a code of practice to cover this sharing of information.
The provisions also include criminal penalties for the willful
misuse of specified data. The effect of the data sharing provisions
will be to allow the public and private sector to share information
on those attempting to defraud them and prevent further frauds
from taking place.
30. Another example is the Order made under
in July 2006. In response to concerns raised, the Secretary of
State for the then Department for Constitutional Affairs (now
the MoJ) made this Order to facilitate the processing of sensitive
personal data provided by law enforcement agencies by payment
card issuers in relation to customers who have received convictions
or cautions for crimes relating to child abuse images, where their
payment card was used to commit the offence.
31. This enables credit card companies to
exercise their contractual rights to administer the account relating
to that payment card or cancel the card. The MoJ consulted the
Information Commissioner before making the order, as required
by the DPA. In Parliamentary debate, the Government assured both
Houses that the action was fair and balanced; the order was justified
and that there would be no prejudice to the innocent party in
the case of joint accounts.
32. The Select Committee on the Merits of
Statutory Instruments described the Order as "a good example
of an appropriate balance between the rights of the state and
the rights of the individual".
33. Following the Commissioner's special
report What Price Privacy?,
the Government is seeking to use the Criminal Justice and Immigration
Bill, which was introduced in the House of Commons on 26 June
2007, to amend the DPA to allow custodial sentences where access
to personal information has been wilfully or deliberately misused.
34. The Ministry is also working with the
Information Commissioner's Office and other Government Departments
to assess the need, value and potential use of Privacy Impact
35. The Ministry works closely with the
rest of Government and with other relevant parties to ensure that
the correct balance is maintained between the rights of the individual
to privacy and their freedoms and the protection of individuals
from terrorism and other crime. Policies and practices are monitored
continually by the Government, the Ministry and the Information
Commissioner to ensure the balance is in the right place and to
prevent abuse. The Ministry welcomes the Committee's inquiry and
will respond to issues arising in due course.
250 "Information Sharing Vision Statement. http://www.justice.gov.uk/docs/information-sharing.pdf Back
See Public Services Policy Review: The Public View, IPSOS MORI,
27 March 2007 Back
Sir David Varney's review into service transformation Service
Transformation: a Better Service for Citizens and Businesses,
a Better Deal for Taxpayers. Back
See Public Services Policy Review; The Public View, IPSOS MORI,
27 March 2007 Back
DPA. s 4(4). Back
DPA Sched 1, Pt 1, paras 1, 2 and 4. Back
DPA, Sched 2. Back
DPA, Sched 3. Back
Link to: The Data Protection (Processing of Sensitive Personal
Data) Order 2006 Back
Information Commissioner Special Report to Parliament What
Price Privacy? published in May 2006 Back