The Scottish Government has launched a new consultation on Identity Management and Privacy Principles. The consultation is part of a move to regulate the collection and use of personal data by public organisations, and includes a focus on risk management and accountability.
The consultation stems from draft principles intended to produce better management and use of personal identifiers. These principles were the result of an expert group, which met from October 2008 to March 2009, and included the Assistant Information Commissioner for Scotland, Ken Macdonald, and Professor Charles Raab of the University of Edinburgh.
One of the key recommendations from the expert group is that organisations should avoid collecting large amounts of personal data which is held centrally – since such databases leave individuals badly exposed to security breaches, whether intentional or accidental.
This consultation is very much to be welcomed, not least as public bodies are rather notorious for their poor data handling in recent years. The highest profile loss of personal data in the public sector, that of 25 million child benefit records by HMRC in 2007, is of course not a direct target of the Scottish proposals, but breaches of data security north of the borderby tend to suggest that the public sector in Scotland has some way to go in ensuring security of private information. Recent examples have included:
- patient files left lying in a hospital corridor (2009)
- medical records found lying in an empty flat (2008)
- unauthorised access to personal information by an employee of Lothian and Borders Police (2009) and by a GP in NHS Fife (2008)
While the Data Protection Act 1998 (policed by the Information Commissioner) is intended to ensure the security of personal data, it appears that large organisations require clearer guidance on the standards to be met, and the very practical steps they can take to ensure this.
The consultation closes on 23 November 2009, and next steps will be awaited with interest. The one question which remains is: does the private sector require a similar set of recommendations?