The UK government has offered more detail on how public authorities can pass around the data they hold on citizens – a mere five months after the Digital Economy Act passed into law.
The final versions of the codes of practice, which are used to add some meat to the bones of the legislation, are now open for a six-week consultation.
They aim to provide the much-needed checks and balances to Part Five of the act, which gives public authorities, researchers and statisticians greater, and easier, access to publicly held data.
The bill itself was rushed through parliament as a result of Prime Minister Theresa May's decision to call a snap election, and came under fire for a lack of transparency and clarity, while one House of Lords committee said it gave the government "inappropriate" and "untrammelled" powers.
Draft codes of practice were published in November 2016, before the bill received its Royal Assent in April, but the government said they were reworked based on recommendations by the Information Commissioner and issues raised during the final parliamentary debates.
The latest versions of the codes of practice make more effort to highlight the importance of transparency, with the government promising registers of all researchers and data processors who have access to the data.
All information on data sharing agreements will be in a public, searchable register to be maintained by the Government Digital Service – although there is of course a get-out clause that allows minimal information to be published in some cases, like national security.
Public service access
The codes also say who can access what, and when – authorities wanting to use the public service delivery principles must meet three broad conditions, which basically say that sharing must result in improved public service or wellbeing of citizens.
Public authorities are told to "carefully consider" why an information sharing agreement is necessary in order to achieve their policy objective, as well as run a privacy impact assessment in advance.
Examples of existing objectives are to assist people living in fuel poverty and to identify "vulnerable people who might need help from the authorities in re-tuning televisions in 2018 to 2019 after the 700Mhz band is to be used for mobile broadband rather than to transmit digital TV".
New objectives might be to support gang members to exit gang culture or reduce street sleeping, the codes said. These would have to gain ministerial permission before departments could share data to this end.
Elsewhere in the codes are rules for how the government can share data to claw back money owed to it – which it estimated as £24.5bn as of March 2016 – and for tackling fraud, which it says costs the government between £29bn and £40bn.
This will see the government establish a review board that will also monitor the pilots that the bodies have to carry out before they begin their data sharing.
These pilots must also ensure they use data in a way that is "fair" – i.e. make sure they chase down the people who can afford to pay, but don't, rather than those who are vulnerable.
Data breaches are to be reported to this board, as well as to the ICO, which has the power the carry out compulsory audits of government departments.
There are also sanctions for people found to be unlawfully or inappropriately processing data – these include being removed from the list of approved bodies, reported to the ICO or further action for offences like misuse of public office.
Research and statistics
Two further codes look at the powers the Act bestows on statistical bodies and researchers. The UK Statistics Authority is to have a governance role in both, and will be responsible for granting accreditation on both researchers and third parties that process that data.
Accreditation will be based on a number of elements – for example that academics have the right skills and experience and suitable research qualifications (these are listed as either an undergraduate degree that includes "a significant proportion" of maths or stats, or three years of quantitative research experience).
They can have this accreditation removed at any time, but it will last for a maximum of five years and can then be reapplied for.
The consultation is open until November 2.
Sponsored: Webcast: Ransomware has gone nuclear