Friday, July 11, 2008

Thomas/Walport data sharing review published

Richard ThomasThe Ministry of Justice has today published Richard Thomas and Mark Walport's review of the UK's framework for the use of personal information in the public and private sectors. Many of their recommendations are unremarkable (e.g. rr. 1–4, 18–19) and would already be enforced if the Information Commissioner had taken a more pro-active approach during his tenure.

While it makes a brief mention of credentials (r. 5), the report is extremely backward-looking on technology, with very little about the potential of better system design to enhance privacy. Thomas & Walport take as read that better customer service, crime prevention and national security all demand ever-greater collection of personal data. They continue the Commissioner's remarkably back-to-front approach of encouraging the UK government in their efforts to savage the EU Data Protection Directive, rather than to properly implement European law (r. 6). They also give the government the go-ahead to allow widespread data-sharing in the public sector after cursory consideration of secondary legislation by Parliament (rr. 7–8).

The few welcome recommendations (rr. 9–13), while entirely predictable from a political economy perspective, would increase the resources and powers of the Commissioner to levels closer to that of the Financial Services Authority. As the FSA told the review, it cannot be right that financial institutions have been fined over a million pounds for data breaches while other sectors need fear virtually nothing from ICO enforcement action. However, a more effective remedy might be to strengthen private rights of action under the Data Protection Act.

The really shocking claim of the report, however, is tucked away on p.34:

An NHS patient agreeing to a course of treatment should also be taken to have agreed that information given during the course of the treatment might be made available for future medical research projects, so long as robust systems are in place to protect personal information and privacy. After all, that patient may be benefiting from research using health information from earlier patients.

It is Stalinesque to demand that the National Health Service should ride roughshod over the need for patient consent for medical records to be used in research. While Mark Walport (head of the Wellcome Trust, one of the world's largest medical research charities) clearly wanted to throw a bone to his colleagues, even they would probably be shocked by such a juicy morsel. It is particularly inappropriate given the Medical Research Council's own findings of low levels of public support for this type of assumed consent.

Richard Thomas would probably not thank me for considering this report a most fitting conclusion to his term as Information Commissioner.

No comments: