WorldLII Home | Databases | WorldLII | Search | Feedback

Privacy Laws and Business International Report

You are here:  WorldLII >> Databases >> Privacy Laws and Business International Report >> 1999 >> [1999] PLBIRp 45

Database Search | Name Search | Recent Articles | Noteup | LawCite | Download | Help

Crime and Disorder Act poses questions about data-sharing [1999] PLBIRp 45; (1999) 50 Privacy Laws and Business International Report 15

Crime & Disorder Act poses questions about data-sharing

A report by Michael Spencer

THE UK CRIME AND DISORDER ACT 1998 has now been on the statute book for a year, but some of its measures are still the subject of pilot trials. The Association of Chief Police Officers has produced a model Protocol on the new provisions for data sharing between public-sector agencies. As the Act comes into full effect across the country, data protection officers will be faced with new and challenging tasks in developing appropriate guidance.

The Crime and Disorder Act requires public sector agencies to strike a proper balance between the potentially conflicting demands of the Crime and Disorder Act, and the old 1984 and new 1998 Data Protection Acts. The Crime and Disorder Act allows the various agencies to share personal data where statutory authority did not previously exist.

The Crime and Disorder Act was drafted in some haste and many details were left unclear. Since then, the Home Office has been engaged in a comprehensive exercise involving the drafting of guidance on the many aspects of the Act, and the setting up of pilot trials in different parts of England and Wales (for details see Home Office Circular 38/1998, available on the Internet at www.homeoffice.gov.uk/cdact/hoc9838.htm). At the same time, the Association of Chief Police Officers (ACPO) has been drafting a model Protocol to guide local police forces and other agencies on the sensitive question of data-sharing.

At the 1999 Privacy Laws & Business 12th Annual International conference, four speakers from different backgrounds explained the content of the ACPO Protocol and its application in practice. Michael Argent, Chief Constable of North Wales and Chairman of ACPO's Data Protection Group, discussed the thinking behind the Protocol; Anne Chafer, Data Protection Officer of Leicestershire Constabulary and Secretary to the Working Group, outlined its provisions; Gill Smith, Data Protection and Security Officer of Devon County Council, described Devon's experience in running a pilot trial; and John Dicker, Head of Information Management and Technology for South and West Devon Health Authority, explained the particular problems posed by the sharing of medical data.

STRIKING THE BALANCE

Michael Argent explained that the Police Service is no stranger to the need to respond to the opposing demands of crime prevention and personal privacy. The Police Act 1997 introduced legislation to ensure that the intrusive use of police surveillance techniques and equipment is monitored by Surveillance Commissioners, and this is working well. On the disclosure of personal data, the 1997 case of R v. Chief Constable of North Wales ex parte AB & CD (where the police alerted a caravan site owner to the presence of persons convicted of sexual offences against children) established that although the need to safeguard individual privacy is recognised, this cannot be to the detriment of the community at large. The test is whether the disclosure is proportionate to the seriousness of the offence.

The information-sharing powers established in the Crime and Disorder Act are an example of a balancestriking measure. The Home Office suggested that partners should develop appropriate protocols, properly negotiated and publicly supported by each of the partners involved, and the ACPO Protocol is offered as a model to be adapted to local circumstances. However, disclosures need to be considered on a case-by-case basis; the Protocol is not sufficient on its own.

NEW EMPHASIS ON EXCHANGING INFORMATION

Anne Chafer described police data on individuals as previously falling into two categories: firstly, information gathered in order to help callers who enquire about such matters as local garages or providers of accommodation; and secondly, information disclosed because of a statutory duty, Home Office guidance or an ACPO agreement. This would include crim- inal records and intelligence. The Crime and Disorder Act puts a new emphasis on information exchanges between the police and other agencies as an essential aid to the operation of Youth Offending Teams (section 39 of the Act), anti-social behaviour orders, sex offender orders and child curfew schemes. However, the Act does not impose a requirement to disclose; the data remains under the control of the holder.

RELATIONSHIP WITH OTHER LAWS

The new Act must also be seen in the framework of the Human Rights Act 1998 and Article 8 of the European Convention on Human Rights (ECHR), which deals with privacy; the Data Protection Acts of 1984 and 1998; and also the common law, where there are two relevant principles. The first is the duty of confidence: information held in confidence may only be disclosed without the individual's consent if it is required by law, or there is an overriding public interest or public health interest, or a risk of death or serious harm. Other grounds include the detection, prevention and prosecution of serious crime, and the individual's health. Similar principles are reflected in the ECHR and the Data Protection Acts.

The second common-law principle is that of 'discovery of iniquity'. This originally dealt with the obligation to disclose information which might prevent serious crime, but it has now become broadened to avert other serious dangers to the public.

DATA PROTECTION COMPLIANCE

The Data Protection Registrar (to become the Commissioner) issued guidance on section 115 of the new Act to the effect that each information- sharing initiative should have an agreed and common policy on data protection compliance. The Home Office guidance on the same topic outlined a corporate inter-agency protocol with six elements

• a clear mechanism for disclosure

• respect for common law and the Data Protection Act

• retention of control by the data-holding agency

• recording of the source

• designation of personnel responsible for data protection, confidentiality and security, and

• arrangements for staff training.

THE ACPO PROTOCOL

The ACPO protocol requires the depersonalisation of information. The Protocol provides guidance to forces on compiling a document to apply to any exchange of information which is intended to support action under each or any provision of the Crime and Disorder Act. All relevant authorities involved in the partnership must be listed. Voluntary or community groups may be signatories, but they may act only on behalf of a relevant authority. The aim of a specific partnership must be clearly defined with reference to the relevant aspect of the Act.

Signatories have a number of responsibilities:

• realistic expectations must prevail from the outset

• ethical standards must be maintained

• the information exchange mechanism must be adhered to

• appropriate training provided, and

• arrangements exist to test adherence to the protocol.

Information exchanges should wherever possible use depersonalised data, for instance in conducting crime audits. If the disclosure of personal data is necessary or expedient, the power to disclose should be agreed in the context of section 115 of the Act, as well as whether consent has been given, what public interest exists, and whether it is covered by non-disclosure exemptions. Consent avoids many of the data protection problems, and no details of victims, witnesses or complainants should be disclosed without their consent.

PUBLIC INTEREST TEST

If it is argued that disclosure is in the public interest (for instance, to protect the safety of others), account must be taken of the longer-term consequences if a precedent is established. It is also in the public interest to maintain a high standard of confidentiality, so that people still have the confidence to come forward with their complaints or information.

Personal data disclosed must be relevant and in the minimum amount required for the purpose. The identity of the originator must be recorded in specific detail. Data exchanges may continue for several years, during which new staff will be involved who may lack knowledge of the original agreement.

A procedure should be agreed for dealing with requests for secondary disclosure of personal data. It must be compatible with the purpose of collection, the originator must give consent, and the disclosure must be recorded. Other requirements follow normal good practice in data protection: review and weeding of data, updating and correction of inaccuracies, security measures, designation of responsible officers, and complete documentation of all disclosures.

Each agency should have a confidentiality policy, backed by staff training and monitored for adherence by all concerned. In rejecting the case brought against the North Wales police (see above), the Appeal Court took into account the existence of proper procedures for considering all the risks and requirements concerned before a decision was made on disclosure.

AUTHORITIES DEVELOP PROTOCOLS

Local authorities are developing their own protocols on the ACPO model, in consultation with the Data Protection Registrar's staff. Gill Smith explained that Devon was chosen to run one of the 15 pilot trials for Youth Offending Teams. Each team must include a police officer, a probation officer, a local authority social worker, a nominee of any health authority in the area covered, and a nominee of the local authority's chief education officer. Those involved are very conscious of the precarious balance which they must strike between complying with the Act and protecting individual rights. There is a potential to wreck or damage the lives of those whose personal data are shared.

Data protection officers (DPOs) have a particular responsibility to make all practitioners aware of principles with which they may not be familiar. Enthusiasm for making the new Act work must be tempered by knowledge of the requirements of the Data Protection Act and other duties imposed by the law (see above). Two examples were given where the DPO's advice was certainly needed. In the first, a team manager had to be warned that giving the police open access to the social services database would not, however convenient, be permissible. In the second, a local neighbourhood action group had to be disappointed in its wish to benefit from information-sharing about individuals (though it would be free to offer information to the team).

GOOD COMMUNICATION ESSENTIAL

The key to avoiding mistakes in this area is regular communication with all those involved. It needs to be emphasised that data sharing must only take place where it is specifically authorised under the Crime and Disorder Act or other laws such as the Children's Act.

The temptation to hoard such information in case it may come in useful must be resisted. DPOs should constantly update their own knowledge by monitoring the Home Office web site for new regulations under the Act. Where, as in Devon, there is more than one Youth Offending Team in the pilot, they will need to exchange information between them. This process will require security measures such as password protection or encryption to obtain access to the common computer system containing data shared between the five types of agency.

PROCEDURES FOR SUBJECT ACCESS

DPOs will also have to deal with queries regarding subject access. Clear procedures need to be developed and all partners notified of them. Decisions will be needed on whether to withhold information under statutory exemptions. Information about third parties is to be removed unless their consent has been obtained or, failing that, the 'Gaskin test' has been applied (a reference to s. 7(4)-(6) of the new Data Protection Act and a previous judgment of the European Court of Human Rights). In this connection, Devon is treating all data-sharing as 'new processing' under the latter Act, and is treating manual records as if the Act was already in force. Practitioners also need to be made aware of the access provisions currently applicable under the Access to Personal Files Act and legislation relating to pupil records.

Gill Smith encouraged DPOs to participate in seminars on the Crime and Disorder Act which are being organised by the National Association of Data Protection Officers. She ended by pointing out that organisations in the private sector may also need to get familiar with the Act, if local authorities request their involvement under s. 39 of the Act.

CLINICAL CONCERNS

Finally, John Dicker outlined the peculiar dilemmas facing health professionals when presented with requests for information-sharing. The principle of confidentiality has always been central to the relationship between patients and clinicians, but this is increasingly under pressure from the demands of the Act. The importance of the principle is not always appreciated by those outside the profession, yet it is vital in such areas as the control of communicable diseases. A prime example is HIV infection, where clinicians will know the identities of many of those suffering from it because they are under treatment as intravenous drug users. To name the individuals to a Youth Offending Team, as some have suggested, would risk driving them underground, jeopardising their health and sacrificing the wider public interest of disease control.

Clinicians are generally resistant to initiatives on sharing data in this way, and also to 'trawling exercises' unrelated to specific needs. As an example, a Youth Offending Team was asked by the team responsible for youth justice services to compile data on all those aged 10 to 17 who were under treatment for hyperactivity or depression, or who had special needs in education. The clinicians felt that any such audit should focus only on known offenders. Their philosophy centres on treating those in need of help, while the team's remit is the broader one of preventing crime and disorder. This remains a chasm to be bridged.

LOSS OF PUBLIC CONFIDENCE IN MEDICAL CONFIDENTIALITY?

There is also a conflict with the trend in the health service to move towards greater patient anonymity as a means of protecting privacy, as recommended by the Caldicott Report (Report on the review of patient-identifiable information, Department of Health 1997). Furthermore, GPs are not NHS employees and own the patient information which they hold, and would need to give consent for its disclosure. Clinicians also fear that they would lose control over secondary disclosures of data, for instance to the National Criminal Intelligence Service. The overall concern is that public confidence in medical confidentiality would be lost, so that vulnerable people would stop using the services on offer.

John Dicker concluded by rebutting the idea that there is a general lack of co-operation from clinicians: it already exists in the work of child protection teams, mentally disordered offender programmes and so on. The ethical imperative of doing the best for the patient has always needed balancing against the needs of the community. In some areas, such as care in the community, the correct balance has not yet been struck. Child protection works because all those involved are agreed on the ends in view, and not because of the existence of a statute. In the present discussion, there is evidently some way to go in reconciling clinical purposes with those of the Crime and Disorder Act.

This report is based on presentations at the Privacy Laws & Business Annual International Conference 1999, and was written by Dr Michael Spencer, a consultant on data protection and civil liberties. He can be contacted by e-mail: mikespen@gn.apc.org. The papers from the Privacy Laws & Business conference are available from the PL&B office, Tel: +44 (0) 181 423 1300, Fax: +44 (0) 181 423 4536.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.worldlii.org/int/journals/PLBIRp/1999/45.html