The Ministry of Justice has announced the terms of reference for its Data Sharing Review of the framework for information use in the private and public sectors. This is a follow-on action after HMRC's loss of a copy of the entire Child Benefit database.
The review will consider whether there should be any changes to the way the Data Protection Act 1998 operates in the UK and the options for implementing any such changes. Following the 25 October request of Gordon Brown, the Prime Minister, it is being carried out by Dr Mark Walport and Information Commissioner Richard Thomas.
The Information Commissioner is the UK's independent authority charged with promoting access to official information and protecting personal information. Mark Walport is a Director of the Wellcome Trust and a member of the Council for Science and Technology, the Government's advisory body on science and technology policy issues.
A publicly-available review consultation paper lists just three IT-related concerns:-
- Question 20: What impact in your view have technological advances had on the sharing and protection of personal information?
- Question 21: Should the law mandate specific technical safeguards for protecting personal information? For example, should there be an explicit requirement that all personal information held on portable devices be encrypted to a particular standard?
- Question 22: How, in your view, could ‘privacy enhancing techniques’, such as the anonymisation or pseudonymisation of personal information, help safeguard personal privacy, whilst facilitating activities such as performing medical research? Is sufficient advice about the deployment of such techniques available? Are you confident about using them? What are the barriers to using them?
Information technology professionals may think that personal information transfer between any public and private sector organisations should be treated like secret or miltarily-sensitive information transfer and adhere to relevant standards such as the FIPS 140-2 cryptography standard.
HMRC lost the contents of the entire child benefit database because its officials, following customary practise in government departments, sent unencrypted citizen's identity information in bulk between its own offices and those of organisations it worked with. The Data Protection Act is intended to protect citizen's data but it is not clear how HMRC or other government departments can regulated and or penalised by the Act in such matters as it stands.
Everyone with an interest in the outcome of the review is encouraged to contribute their thoughts on the matter to the review panel, for example, by using this Word response form.
The Lord Chancellor and Secretary of State for Justice will publish a report of the review's findings in the first half of 2008.
The Police have said they will give up looking for the lost HMRC CDs if they have not been found by Christmas.