Good Governance - Effective use of IT

Written evidence submitted by The Information Commissioner (IT 17)

Introduction

1. The Information Commissioner has responsibility in the UK for promoting and enforcing the Data Protection Act 1998 (DPA) and the Freedom of Information Act 2000. The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Commissioner does this by providing guidance to individuals and organisations, solving problems where he can, and taking appropriate action where the law is broken. The Commissioner’s response to this consultation is based on the practical experience he has gained in regulating compliance with the DPA and FOI.

2. The Information Commissioner’s submission to this inquiry will not seek to answer all of the questions asked in the Committee’s paper, but will focus on those issues most relevant to his role as information rights regulator.

3. It is worth remarking at the outset that the Commissioner supports the assertion that good governance is essential to the effective use of IT. This is true from the perspective of ensuring compliance with information rights legislation and for inspiring trust and confidence in those whom the citizen has little choice but to entrust their personal information. High profile security breaches have shown how vulnerable our personal details can be and information systems need to be designed to minimise information risk not solely by including better security safeguards but by adopting privacy friendly data minimisation approaches and ensuring the culture of an organisation drives the protection of personal information. Good governance and its influence on the effective use of IT can also help ensure that that fears that we may end living in a database state with unwarranted intrusion into the lives of individuals are not realised in practice.

4. The Information Commissioner is responsible for regulating information rights legislation. His experience of promoting and enforcing this legislation over many years is that a number of information systems procured by Government have fallen short of compliance with these legal requirements. On too many occasions, it appears that the procurement of systems has occurred before privacy and transparency issues have been fully identified and addressed, leading to non-compliant systems being procured. In certain instances this has led to the Commissioner having to take action to ensure that systems are adjusted to make them compliant – sometimes at undue expense to the Department concerned, as information rights compliance measures were not sufficiently considered in the tendering process and thus did not form part of the contract.

5. In addition to the cases where lack of effective security safeguards is evident, the Commissioner has seen instances where new government information systems have been implemented in ways that cause data protection problems. This can range from not having the functionality to support individuals gaining access to their data, inability to delete records when no longer needed and holding excessive and irrelevant information.

6. The Information Commissioner and his predecessors have been very vocal in trying to get Government and other organisations to consider information rights issues as part of the design and procurement of systems for many years. In 2008, the Information Commissioner’s Office commissioned a report from the Enterprise Privacy Group entitled "Privacy By Design" [1] . This report sought to encourage organisations to design privacy and data protection compliance into new systems, rather than bolting it on as an expensive or ill-conceived afterthought. The then Information Commissioner wrote in the foreword to the report that "Although we have seen a dramatic change in the capability of organisations to exploit modern technology that uses our information to deliver services, this has not been accompanied by a similar drive to develop new effective technical and procedural privacy safeguards".

7. The Information Commissioner’s "privacy by design work" has been focussed on providing practical tools to help ensure that privacy safeguards are addressed from first principles of policy development and system design. This includes publishing a privacy impact assessment handbook and codes of practice. In March 2010, the current Commissioner took this work further forward, publishing "The Privacy Dividend: the business case for developing proactive privacy protection" [2] . This report aimed to help organisations understand the rationale for, and benefits to be gained from, building in better privacy protection. Its key conclusions were:

· personal information has a value and protecting it makes good business sense;

· such protection brings real and significant benefits that far outweigh the effort privacy protection requires; and

· ignoring privacy and not protecting personal information has significant downsides.

Recognition of these conclusions has assumed an even greater significance as difficult decisions on the allocation of resources have to be made as funding is reduced. This is brought into sharper focus by the European Commission considering making privacy by design an obligation for data controllers under a new data protection regulatory framework.

4. Information rights law in the United Kingdom is not new. The first Data Protection Act was passed in 1984. Over a quarter of a century later, it is a source of continuing frustration that Government procurement processes still produce systems that are not fit for the purpose of helping Government comply with basic information rights provisions. This should not be the case.

5. The Commissioner’s experience is that there are some pockets of excellent practice in developing IT policy, but many initiatives related to IT are not joined up and fail to take account of one another, often sending out mixed messages. However, we are also getting feedback from information governance professionals within Government that in the drive to push all Government information onto the G-Cloud, legitimate concerns about compliance with information rights legislation and statutory codes of practice are being characterised as "old thinking". Such ad hominem arguments are winning out in certain sections of Government, potentially reducing the availability of information at the same time as Government seeks to make such information more accessible.

6. Several years ago, after the data loss by HMRC, the Central Sponsor for Information Assurance (CSIA) took a leading role in establishing core mandatory measures for protecting personal data across Government. At the same time, there was a lot of discussion about where responsibility within lay within Government for coordinating technology policy when it came to privacy, data protection and information assurance. While the core mandatory measures to protect personal data included provision of privacy impact assessment as part of the Gateway Review process, there has never been any review as to how this works in practice, who has oversight of this process and if there is any quality assurance mechanism for ensuring that such assessments are more than mere paper compliance.

7. The Commissioner sees a lack of coordination in Government approach to identity technology policy, with a number of Departments developing identity management and assurance systems independently of one another, and an apparent lack of will to discuss how to make these systems interoperable. While it is obvious that better, more effective use of information technology could herald a "post bureaucratic" age, it is also true that a failure to coordinate policy effectively can create more bureaucracy, serve single Departments rather than the citizen and lead to a failure of Government to deliver services effectively. Anecdotally, one of the reasons the Commissioner is regularly given by Departments who wish to exploit private sector data is the expense, technical difficulties and "not invented here culture" that makes exploiting other Government data sets more difficult. This is not a totally bleak picture and there are some encouraging signs that new approaches to identity assurance are being considered within Government and some with privacy friendly features which give individuals more control over their own information.

8. The Commissioner is of the view that much more can be done to ensure that Government IT is harnessed for the benefit of the citizen and Government. The Commissioner is on record in saying that information rights law should be no barrier to proportionate, reasonable and appropriate information sharing or other uses of personal information.

9. However, it is worth repeating the point that all too often information rights concerns are not considered until it is too late to meaningfully influence the design, procurement or implementation of IT systems. Some significant problems stem from the legislation that information systems are designed to support, which leaves little room for more proportionate and privacy friendly ways of looking after personal information. A now defunct example is the Identity Cards Act which required the provision of far more information about a citizen than was necessary to verify identity then administer the ID cards system. Parliamentarians have an essential role to play in ensuring legislation does not drive the collection and unwarranted exploitation of personal information or put such information at greater risk. Where legislation is enacted that results in greater amounts of personal information being collected, often for what are seen at the time as pressing public policy reason such as security, post legislative scrutiny of the value of this in practice and the safeguards in place is an important, but often lacking, check mechanism.

10. The Commissioner would also like to highlight the possibility to improve the transparency of IT procurement by further publication of gateway reviews. The Commissioner and the Information Tribunal have ordered disclosure, on public interest grounds, of gateway reviews for several important IT projects. [3] He believes that government departments could publish further detailed information about gateway reviews on a more regular basis. The vehicle for doing this could be via a publication scheme, which all public bodies are required to maintain under section 19 of the Freedom of Information Act. The Commissioner does accept that timing of disclosure is important to allow some safe space for deliberation and also commercial sensitivity may be a factor that may sometimes weigh in favour of non disclosure. Arguments about the chilling effects of disclosure have been raised as very broad factors and in reality these chilling effects have not been demonstrated. [4] Greater transparency will drive better public understanding of large IT projects and more debate about risks (such as privacy) and value for money.

11. As well as Privacy Impact Assessments the Commissioner also believes that Access Impact Assessments [5] should also be considered for large IT projects, these assessments would consider what information the public might request from the IT systems under the Freedom of Information Act and what information e.g. reports, raw data derived from the system could regularly be extracted and published in a publication scheme. These considerations could then be fed into the system design and specification at an early stage, alongside privacy impact assessments. This is particularly relevant given the current government proposals for a "right to data", that will enhance FOI rights of access to cover data formats and re-use.

Conclusion

12. The Information Commissioner is not convinced that the current arrangements for coordinating technology policy and for the procurement of IT systems are adequate for producing systems that allow them to meet their information rights obligations efficiently or effectively. Nor do all these systems serve the individual by allowing them to effectively assert their information rights. Any failure to ensure the effective governance and development of information systems puts not just information rights compliance at risk but could further undermine the public’s trust and confidence in the government’s use of information.

January 2011


[1] Available at: http://www.ico.gov.uk/upload/documents/pdb_report_html/privacy_by_design_report_v2.pdf

[2] Available at: http://www.ico.gov.uk/~/media/documents/library/Data_Protection/Detailed_specialist_guides/PRIVACY_DIVIDEND.ashx

[3] ICO decision notices FS50083104 - ID cards, FS50075956 – Department of Health E- Recruitment project and Information Tribunal decision EA/2006/68 & 80

[4] See the UCL report Robert Hazell, Ben Worthy and Mark Glover, The Impact of the Freedom of Information Act on Central Government in the UK: Does FOI Work? Palgrave Macmillian, London, 2010

[4]

[4]

[5] See the 2008 report published by the Canadian Information Commissioner: The Access To Information Act 25 Years Later: Toward a new generation Of Access Rights in Canada. Access Impact Assessments page 14. http://www.infocom.gc.ca/eng/DownloadHandler.ashx?pg=19eb9df7-a0b9-49f9-8a99-a75300faa31f&section=af7ad5ce-4e53-4095-8f88-38fc2721c914&file=ATIA25y.pdf