Close

This website uses cookies. For further information, please see our Cookies Notice

Home Page / In Focus / Information Sharing / Putting a price on privacy

Putting a price on privacy

Balancing the need for individual privacy against collective security in delivery of public services

The frenzy that ensues from each high profile case of child abuse, neglect or murder invariably demands answers to the questions of “why didn’t the authorities know about him or her?”, or “how did their history escape the attention of their  employer?”

Secure information sharing

While government measures, such as the Cabinet Office Security Policy Framework, have been implemented to prevent further serious lapses regarding the handling and sharing of information about individuals, end-user organisations find themselves with yet more concerns when privacy of the individual is valued against the greater public safety.

Designed to help manage the risks associated with information sharing in the interests of public safety, measures such as the Information Commissioner’s Office (ICO) Privacy Impact Assessments (PIA) handbook and CESG Infosec Standard 6 – Handling Personal Data, have brought with them significant issues with regard to organisations having the time or budget to be able to carry out the full-scale assessments that are recommended.

Consequences of compliance failure

Ultimately though, failure to manage these risks could result in unauthorised access to private information, thus breaching an individual’s rights to privacy such as those enshrined in the Data Protection Act (DPA). On the other hand, failure to disclose information on an individual, such as a paedophile, suspected terrorist or someone with a history of criminal offences, could place members of the public in danger.

While acknowledging that the debate on privacy versus public safety is at an early stage, it is vital to consider whether this existing guidance, as contained in the aforementioned publications, is sufficient to enable government agencies and businesses responsible for personal data to effectively address the issues raised in the debate and effectively manage the associated risks.

Who is affected most by the privacy v public safety debate?

Government agencies and businesses managing public services on behalf of the government – who hold and process data on individuals – are most affected by this issue, given that they are often holding private information that may need sharing in the interests of public safety. This includes:

  • Data on individuals with a history of criminal offences and convictions such as those against children and young people. This information may need sharing with third party organisations including nurseries, schools, foster homes and other establishments who need access to such data when conducting security checks to ensure that prospective employees will not pose a danger to children or young people in their care.
  • Data on individuals released into the community who have had a history of mental illness. If these people are not properly supervised, they could be a danger to themselves or other members of the public. Therefore, there may be a need to share this information more widely than with the organisations that have a responsibility for the individual’s welfare (e.g. medical practice used by individual, social services).

With this in mind, government suppliers in this arena could be required to investigate sharing this data with third party organisations that were not previously included in their business model, as well as consider how this service could be delivered securely, economically and effectively.

What risk management guidance is available to these organisations?

The ICO PIA handbook (link) is the currently main source of guidance in this area, addressing the key elements of the PIA process, including the conduct of:

  • An Initial Assessment which involves examination of the project at an early stage, identifies stakeholders, makes an initial assessment of privacy risk, and decides which level of PIA – full-scale or small-scale – is necessary,
  • A full-scale or small-scale PIA, depending on the outcome of the Initial Assessment
  • DPA compliance checks, as required by the Initial Assessment.

 

Can the guidance be easily and effectively applied?

Unfortunately, conducting a full-scale PIA is often prohibitively expensive, both in cost and time, to most affected organisations. Although this significant issue is somewhat addressed by the Initial Assessment phase, in practice, most, if not all affected organisations will be forced down the small-scale PIA route, thus rendering the Initial Assessment superfluous.

However, while guidance for full-scale PIA completion is adequately described in the handbook, the description of the small-scale PIA is considered inadequate. Not only does it make extensive reference back to the full-scale PIA, but its generic presentation means it cannot be readily applied. This results in affected organisations having to specify their own, bespoke PIA using the generic guidance in the handbook before the assessment can be conducted; an undesirable scenario when timescales and budgets are already constrained.

What new measures need implementing?

As the digital age increasingly touches every element of our lives, the more information is shared, the greater need there is for effective information security and assurance. Organisations must therefore demonstrate their ability to secure the integrity of their data, the way it is stored and distributed, and comply with regulatory specifications.

However, as identified above, such regulations often require significant time and financial investments, and streamlining or supplementing activities such as the PIAs would go some way to redressing the balance.

Vega, a leading information security and data sharing specialist, believes that the ICO should consider establishing a knowledge base of PIA case studies. This could be contributed to by those who have already carried out their assessments, and accessed by others who would be able to use the knowledge base to understand how similar organisations have dealt with and solved issues of a similar nature, when specifying their own bespoke PIAs.

Additionally, Vega would suggest that a review of the small-scale PIA process should be considered, where it still complies with government regulation, but condenses the process and takes into consideration constraints on time and budget, without shortcutting or demeaning its seriousness.

Ultimately, implementing processes and policies that are accessible to and executable by organisations of all sizes and means, will enable effective information sharing and hopefully prevent more tragic cases resulting from the myopic stance of the past.

Contact Vega for more information about Information Sharing