A New Start to Data Protection in the New Year?
On 23 December, the Scottish Government launched its "Identity Management and Privacy Principles". These principles are intended to "help ensure that respect for privacy is central to the way public services prove identity or entitlement." As this rationale makes clear, the Principles only extend to public sector bodies – often the ones that handle an individual's most private or sensitive data.
The Principles centre round five key areas of data handling, with five corresponding principles:
Proving identity or entitlement – people should not be asked to prove who they are unless it is necessary. Public bodies should ask for as little information as possible, identifying themselves and offering alternative ways to provide identity and/or entitlement for a service
Governance and accountability – public service organisations should adopt privacy and security policies and procedures
Risk management – organisations should carry out Privacy Impact Assessments on any new initiative that enables access to services and involves collection, storage or use of personal information
Data and data sharing – public services should minimise the personal information they hold, avoid creating centralised databases of information and store personal and transactional data separately
Education and engagement – there should be efforts to raise public awareness of the principles and ensure those handling the data have a good working knowledge of the issues.
These standards are the result of detailed work carried out by an expert group, including the University of Edinburgh's Professor Charles Raab. A consultation exercise followed the initial draft principles, and resulted in the finished product launched last month.
While the principles are not statutory (and have not resulted in any changes to the Data Protection Act 1998), they provide a useful benchmark for public sector organisations when dealing with personal data. Rather than complying with data protection principles in order to comply with the law, the new Identity Management and Privacy Principles aim to promote the importance of the privacy of personal data. While the changes are not legally binding, it is to be hoped that they help introduce a new ethos when dealing with personal data – one which may, in time, spread to other sectors. They are certainly to be welcomed as a new start for the new year.