The parliamentary joint committee on human rights has backed proposals to allow the Information Commissioner to check government IT projects at random to ensure data protection laws are being observed.
Richard Thomas, the Information Commissioner, told the committee that new privacy impact assessments would ensure that privacy concerns are systematically identified and addressed early in a project’s conception, rather than “bolted on later as an expensive and inadequate afterthought.”
In a report into data protection and human rights, the committee found that some government departments, including the Department of Health, were failing to take data protection safeguards seriously enough and concluding that public concerns were valid.
In December 2007, the DH was found guilty of breaching data protection laws on the Medical Training Application Service (MTAS) website, following a series of issues with the website reported by disgruntled junior doctors.
The committee says incidents such as the security breach on the MTAS website, and the loss of 25m child benefit records last year, must be taken more seriously.
The report says: “It would be wrong to see these errors and lapses as unfortunate ‘one-off’ events. In our view they are symptomatic of the government’s persistent failure to take data protection safeguards sufficiently seriously by defining data sharing powers more tightly in primary legislation and including detailed safeguards against arbitrary or unjustified disclosure.
“The rapid increase in the amount of data sharing has not been accompanied by a sufficiently strong commitment to the need for safeguards. The fundamental problem is a cultural one: there is insufficient respect for personal data in the public sector… We are surprised, and disappointed, to find that senior public officials need to be reminded of the main principles of the Data Protection Act.”
In his oral evidence to the committee, Thomas said the government was now making “a very, very sharp turn-around in attitudes” towards data protection, but added “it should not take a train crash to prevent casualties on the railway; but we have had a train crash and that has served as a wake-up call.”
The committee said this attitude demonstrated a system of “lax standards”, which must be taken “sufficiently more seriously.”
Once reviews of data protection legislation and practice have been completed, the committee expects the government to take action to foster a positive culture for the protection of personal data by public sector bodies.
Committee chairman Andrew Dismore MP said: “People were shocked by the recent losses of data but that is far from a one-off. Information should be treated as sensitively and carefully as hard cash. It should not be sent in the post unregistered and unencrypted. It has taken the massive data loss by HMRC to bring the true consequences of the piecemeal approach to data management to light.”
Link
Joint Committee On Human Rights report into Data Protection and Human Rights