How the emerging law of privacy is preventing a transformation of public services through e-government

The Prime Minister has promised that Britain will capitalise on the opportunities presented by new technology to put all Government services on-line by 2005 at the latest and to transform the delivery of public services through e-government1. So what is e-government all about? According to a recent National Audit Office Report2, electronic or e-government means:

  • Providing public access via the Internet to information about all the services offered by Government departments and their agencies;
  • Enabling the public to conduct and conclude transactions for all those services (for example, paying tax, claiming and receiving benefits and applying for a passport); and
  • The Government harnessing the new technology to transform the internal efficiency of Government departments.

You might well think that such a “courageous” policy initiative to transform the Civil Service into a leaner, more efficient organisation would have come from the pages of “Yes Minister”.3 And you would be right. Volume One of the hapless Hacker’s memoirs contains a chapter about the introduction of a National Information Data Base (sic) for “storing information and speeding up government business and thus avoiding a massive expansion of clerical staff”.  You might also anticipate that the prolix Permanent Secretary, Sir Humphrey Appleby, would have a scheme to stall the Minister’s reform. And he did — in five stages, in fact, with stage four being legal problems. Hacker prophetically notes that “legal difficulties are best because they can be made totally incomprehensible and can go on forever!”   

Although “Yes Minister” was published in 1981, it appears that the Government is still stuck at stage four.  A recent MORI survey of Government Departments has shown that legal uncertainty is the major obstacle to completing e-government projects (58%), behind technical and security issues (56%), data integrity (54%) and financial issues (36%).4

Since 1981 there has been a change in attitude to the recognition and protection of the individual’s right of privacy.  Although there is no general right of privacy recognised by the law, two recent Acts of Parliament have augmented the patchwork of privacy rights, namely the Human Rights Act 1998 and the Data Protection Act 1998. Since ‘joined-up’ government essentially consists of the routine disclosure of personal data amongst Government departments, these two Acts together create more incomprehensible and enduring legal difficulties than even Sir Humphrey could have mustered.

Legal Difficulties
One of the principal rewards of e-government is the construction of services around the citizen, not the public authorities. After all, there’s no point in dragging the Civil Service through reform and risking further ‘scars’ on the Prime Minister’s back if there’s no ‘delivery’ perceived by the citizens (and, possibly more significantly for Ministers, the voters).  It seldom matters to the citizen how the Government organises delivery of its services.  It is far more convenient for the citizen to have access to a ‘one stop shop’ which entails the Government ‘joining up’ its services to co-ordinate services better and reduce duplication throughout different departments. It has therefore been disappointing for many Government Departments to realise that there remains considerable doubt over their legal power to share data with each other or other public authorities.

For example, The Moray Council’s pilot e-government project would like to use the basic information that the Council holds through Council Tax records to populate a new customer relationship management database to provide enhanced services to the community, but this is prohibited.  Additionally, access to a patient’s medical record by the officers in the Council’s Community Services department is also prohibited, resulting in the compilation of a ‘shadow’ record compiled with information supplied by the citizen.  The flip side of the coin is that Health Service professionals do not have routine access to the Council’s Social Work records and do not always know what provisions the Council has made to enable a safe discharge before discharging them.

Human Rights Act 1998 (HRA)
If there is anything approaching a right of privacy under development in Scots law, then it is bound to emanate from Article 8 of the European Convention on Human Rights, which has been given ‘further effect’ in domestic law by the HRA.  Since we are all human rights lawyers now, most of us will be conversant with the ECHR, and there is no need to replicate that article here.

Section 2 of the HRA requires that, in considering arguments, courts and tribunals have regard to (but not necessarily follow) the body of jurisprudence from the Court of Human Rights in Strasbourg.  Although the Strasbourg Court recognises that the ECHR is a living instrument and it should therefore be interpreted in a dynamic manner, rather than being bound by precedent, the Court has evolved some definite principles for the determination of whether data sharing constitutes interference.  It must be:

  • ‘in accordance with the law’;
  • in pursuit of a legitimate aim; and
  • ‘necessary in a democratic society’.

The first principle requires that there must be a legal basis in domestic law for any interference in the individual’s rights and that the law should be adequately accessible and sufficiently certain.

Public authorities acting in accordance with their statutory functions should have little difficulty in establishing their compliance with the second principle.

However, the third principle tends to be a somewhat nebulous affair, since it necessarily involves a proportionality test. This test is the mechanism used by the Strasbourg Court to determine whether there is a fair balance between the protection of the rights and freedoms of the individual as against the rights and the interests of the community as a whole.  In determining proportionality, the Strasbourg Court considers whether:

  • the reasons for the interference are ‘relevant’ and ‘sufficient’;
  • there is a less restrictive alternative;
  • the decision-making process giving rise to the interference is fair;
  • there are any or sufficient safeguards against abuse; and
  • the interference destroys the very essence of the right.

The Strasbourg Court has considered some cases on data sharing amongst public authorities.  Z v Finland5 involved a manslaughter trial of the applicant’s husband in a Finnish court.  The applicant’s doctor was ordered to provide sensitive medical information relating to the applicant, after she had refused to testify against her husband. The doctor provided the information but edited the records to omit all reference to the applicant. The court ordered the doctor to disclose the sensitive medical information, despite his objections.  The court transcripts containing the evidence given by her doctor and her medical records would also enter into the public domain after ten years. The Strasbourg Court held that the disclosure of the information was a violation of Article 8 and the order to allow the transcripts and medical records to enter the public domain would also be a violation.  

MS v Sweden6 also related to the disclosure of medical records.  In this case, however, the applicant had submitted a compensation claim to the Swedish Social Insurance Office (SIO) concerning an alleged back injury. In order to assess her claim, the SIO needed to crosscheck the information received from the applicant against the data held by the clinic she attended.  In this case the Strasbourg Court held that there was no violation of Article 8, since there was a legitimate requirement to consider the data. Additionally, the disclosure was subject to important limitations and was accompanied by effective and adequate safeguards against abuse. Therefore the disclosure was proportionate since there were relevant and sufficient reasons for the disclosure.

Data Protection
Data protection must have been a topical subject when the Hacker memoirs were published in 1981. Automated data storing and retrieval was beginning to show its potential for efficiency savings. However, as Hacker discovered, adequate legal safeguards were required to prevent abuse by the Government and concern over possible abuse led to the development of data protection law in the early 1980s.

The Data Protection Act 1998 (DPA), which replaced its 1984 predecessor, regulates the processing and transfer of personal data which have been lawfully collected.  In terms of the Act, data controllers must inform the Information Commissioner (an independent authority set up by the Government) inter alia of the purposes for which they hold, use and disclose personal data. This information is then placed in the Commissioner’s register of notifications. If the data are subsequently processed in a manner that is incompatible with the principles set out in the DPA, then that processing will be unlawful.  Data sharing clearly falls within the scope of ‘processing’.

For the purposes of the first Data Protection principle, personal data obtained from the data subject are not considered fairly processed unless the data controller provides certain information about the use of the data to the data subject, giving the data subject an effective right to know.

Moreover, the second Data Protection principle provides that “Personal Data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes”. In determining compatibility, regard will be had to the intended purpose of processing the data7. Therefore unless compatibility with the purpose for collection of the data can be established, data sharing is effectively illegal.

However, the DPA recognises that there must be some proportionality in data protection. The non-disclosure rule can be disapplied where the application of the Act would prejudice the prevention or detection of crime, the apprehension or prosecution of offenders or the collection or assessment of any tax8.  Also disclosures of personal data required by law or in any legal proceeding9 and by some regulators.  The Secretary of State also has a general power to make an order exempting the non-disclosure requirement if he considers it necessary for the safeguarding of the interests of the data subject or the rights and freedoms of any other individual10.

The road ahead
The non-disclosure provisions of the DPA can, of course, be exempted with the data subject’s consent or explicit consent in the case of sensitive personal data.  However, the cost of establishing a system based on consent may be too high and the benefits may only be realised if all the data subjects opt in.

The only other route for public authorities is to wait for a legislative slot to promote legislation that gives them the specific legal power to share data through ‘gateways’ with consent of the data subject where this is viable and without consent where this is not appropriate.

For the record, Hacker finally managed to progress his National Integrated Data Base by incorporating legal safeguards on the processing of personal data.  Also, Hacker had to provide that any data sharing had to be sanctioned by a Minister, effectively ruling out routine data-sharing, but dealing with the legal difficulty over vires put forward by Sir Humphrey. Although Hacker is constantly complaining about Civil Service obstruction in his memoirs, the legal landscape at the time of publication is so different from today’s that perhaps Ministers in the present (real) Government would read of Hacker’s (fictional) travails with a slight sense of envy.

Euan Sinclair is a solicitor at The Moray Council

Share this article
Add To Favorites