 |
ICO advice on partnership databases
Following concerns expressed to AABC by a number of partnership managers about the national SIRCS database and the manner in which personal or sensitive data is made available to users, AABC sought guidance from the Information Commissioner's Office, who has responded as follows:
“Their promotional material does give me some concern. Much is made of their 'full compliance with the Data Protection Act' without any mention of what protections are in place to guard against disproportionate, unnecessary and unfair processing of personal data. I have checked with colleagues as to whether SIRCS have run their policies and procedures by ICO. So far, it does not look as if they have. We will be contacting SIRCS seeking clarification of how they comply with the DPA 1998”.
Partnership data controllers should ensure that any system they are using is compliant with the Data Protection Act principles before providing or accessing any personal or sensitive data.
The ICO has also given advice on the issue of partnership data controllers providing user access to other partnership co-ordinators to enable them to search each other's systems. In this scenario data is made available at the point of access, which may or may not be relevant. The response from the ICO is as follows:
”It seems clear to me that access is being widened to an extent that could cause some concern. The Act builds in protection for individuals by ensuring that data controllers have to decide for themselves whether a disclosure should be made. These decisions take time and involve striking a balance between the legitimate interests of the data controller and the third party to whom the data are disclosed and the rights and freedoms of the individual. I would argue that these difficult decisions are not so much cumbersome, bureaucratic burdens but that they are important safeguards which protect the rights of data subjects while allowing organisations to conduct necessary processing operations.
"In most of the work undertaken by crime reduction partnerships, this balance is struck by making sure that third parties only receive relevant data at the point at which it is required. My worry is that a wider access regime allowing searches by people outside a particular partnership removes the safeguards inherent in the data controller having to decide that in any particular case, disclosure is both necessary and proportionate. I appreciate that audits will pick up on misuse or fishing expeditions but these checks are all after the fact and would not, therefore, provide assurances to individuals (or ICO) that misuse of the system is unlikely to occur.
"In terms of data protection compliance, holding to strict limitations on sharing between partnerships is an important check on what might otherwise appear to be unfettered sharing of personal data regardless of its relevance to the aims of those with who it is shared."
30 July 2010