Sharing Information Legally Lindsay Ould London Borough of Lewisham

Agenda Myths about Data Sharing Legislation covering this area Conditions for sharing information Good practice in use of profiling data Any Questions?

Myths about data sharing Data Protection Act doesn’t allow it Sharing within an organisation doesn’t need consent We’ve always done it It’s too difficult to get consent from everyone We can’t afford to contact all the data owners

Powers to share information There are three broad types of power: statutory powers implied statutory powers common law or prerogative powers.

Information Legislation Data Protection Act 1998 Freedom of Information Act 2000 Human Rights Act 1998 Information Gateways e.g. Section 115, Crime and Disorder Act 1998 Common Law duty of Confidentiality Case law Statutory Instruments Sector specific legislation – Local Government Act, LGFA, Planning, Housing, Children's Act

Common-law (confidential information) Have the necessary quality of confidence (that is, not be in the public domain, and have some value to either party); Have been communicated in circumstances in which confidentiality can be reasonably expected, or in circumstances giving rise to an obligation of confidentiality. The expectation or obligation can be expressed (for example, provided in a statement of confidentiality) or implied (such as when information is provided to a doctor, banker or lawyer)..

Defining Personal Information … data which relate to a living individual who can be identified – (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession, of the data controller reference to an individual’s name alone is unlikely to be personal data – biographical, includes expression of opinion & intention

Sensitive Personal Data Racial or ethnic origin Political opinions Religious or other beliefs of a similar nature Membership of trade union Physical or mental health or condition Sexual life Commission or alleged commission of offences Proceedings for any offence committed or alleged to have been committed

Conditions for sharing information Defined in Schedule 2 & 3 of Data Protection Act Consent Contract Legal obligation Vital interests Functions of public nature Legitimate interests of data controller

Consent No age of consent is defined within the UK Data Protection Act EU Directive gives a definition of ‘Any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him to be published’ Explicit consent for sensitive personal information Disproportionate effect

Capacity ‘Of sufficient age and maturity to have such an understanding’ –Age of capacity not defined in England –Scotland – 12 years old (Age of legal capacity (Scotland) Act 1991) –Gillick competency test –Mental Capacity Act 2005

Transferring Information Mapping data flows Organisation policy standards Identify ‘one-off’s’ and ongoing sharing Information Sharing Protocols Contractual inclusions Status of data processor Must ensure adequate protection of data

What is the status of the data to be shared? It is useful to place data into one of three categories: Identified – allowing the direct identification of individual people, households, businesses, or other unit records. Identifiable – anonymised but detailed microdata or aggregates that may allow for the indirect identification of individual unit records. Non-disclosive – data that is not likely to allow for the identification of an individual unit record, without using disproportionate time, effort and expertise.

Use of personal data for research history & statistics (s33) –Personal data when processed only for statistical purposes: is not to be regarded as incompatible with the original purposes for which it was obtained may be kept indefinitely Is exempt from data subject access rights on a case by case basis –Section 33 only applies where the processing does not result in actions affecting particular individuals, or is carried out in such a way that is not likely to cause a data subject substantial damage or distress.

Purpose of data matching If your data matching are for planning new services or predicting behaviour, you may not need to inform data subjects If your matching will result in you contacting data subjects for a different purpose than originally informed, then you need to meet a condition within schedule 2 and/or 3

Using profiling data Profiling data is compiled from publicly available data Profiling data is ‘identifiable’ Further processing of profiling data may ‘Identify’ it Matching profiling data with personal data you hold may make it ‘Identified’ As soon as a person becomes identified, you need to satisfy a condition in schedule 2 (or 3 for sensitive data) If the purpose has changed, new fair processing (privacy) notices may be required Notification may need to be amended

Good Practice Tips Provide a layered processing notice Provide safeguarding information to customers Communicate information about the customer profiling project on website & publicity materials Identify personal data sets that you may match with profiling data and tell all new customers and existing customers at contact points Improved data quality will ensure you limit costs of obtaining consent Map data flows to ‘know your data’

Further reading Code of practice for sharing information data_protection/detailed_specialist_guides/pinfo -framework.pdf data_protection/detailed_specialist_guides/pinfo -framework.pdf Technical guidance notes – Council tax data_protection/detailed_specialist_guides/use_ of_personal_information_held_for_collecting_an d_admini%E2%80%A6.pdf data_protection/detailed_specialist_guides/use_ of_personal_information_held_for_collecting_an d_admini%E2%80%A6.pdf Practitioners guides her/NSDataSharing.pdf

Sharing Information Legally Lindsay Ould London Borough of Lewisham