Informaticopia

Monday, March 23, 2009

Database State

Today the Joseph Rowntree Reform Trust published a major report on the Database State. In it Ross Anderson and colleagues chart the rise of public sector databases which impact on everyones lives.

The report arose from the loss by Her Majesty's Revenue and Customs of two discs containing personal information about nearly 50% of the population and a series of high profile fiascos and data loses and challenges over effectiveness, privacy, legality and cost.

The report assesses 46 databases across the major government departments, and finds that:

* A quarter of the public-sector databases reviewed are almost certainly illegal under human rights or data protection law; they should be scrapped or substantially redesigned. More than half have significant problems with privacy or effectiveness and could fall foul of a legal challenge.

* Fewer than 15% of the public databases assessed in this report are effective, proportionate and necessary, with a proper legal basis for any privacy intrusions. Even so, some of them still have operational problems.

* Britain is out of line with other developed countries, where records on sensitive matters like healthcare and social services are held locally. In Britain, data is increasingly centralised, and shared between health and social services, the police, schools, local government and the taxman.

*The benefits claimed for data sharing are often illusory. Sharing can harm the vulnerable, not least by leading to discrimination and stigmatisation.

* The UK public sector spends over £16 billion a year on IT. Over £100 billion in spending is planned for the next five years, and even the Government cannot provide an accurate figure for cost of its ‘Transformational Government’ programme. Yet only about 30% of government IT projects succeed.

The report uses a traffic light system to examine the databases - those achieving a red rating are "almost certainly illegal under human rights or data protection law and should be scrapped or substantially redesigned". These include three systems specifically relevant to health and social care:

* ContactPoint, which is a national index of all children in England. It will hold biographical and contact information for each child and record their relationship with public services, including a note on whether any ‘sensitive service’ is working with the child;

* the NHS Detailed Care Record, which will hold GP and hospital records in remote servers controlled by the government, but to which many care providers can add their own comments, wikipedia-style, without proper control or accountability; and the Secondary Uses Service, which holds summaries of hospital and other treatment in a central system to support NHS administration and research;

* the electronic Common Assessment Framework, which holds an assessment of a child’s welfare needs. It can include sensitive and subjective information, and is too widely disseminated;

Other databases in the field including the NHS Summary Care Record, which will ‘initially’ hold information such as allergies and current prescriptions, are rated amber which means "a database has significant problems, and may be unlawful. Depending on the circumstances, it may need to be shrunk, or split, or individuals may have to be given a right to opt out".

Out of the 48 databases studied only 6 are given a "green light".

I' still working my way through the whole 63 page report and I'm currently analysing the significance and likely impact of the chapter related to the Department of Health.

The report has already been highlighted by the Guardian in its report entitled "Right to privacy broken by a quarter of UK's public databases, says report". It will be interesting to see what other reaction it receives and, most importantly, whether the direction of travel for government IT is changed at all.

Labels: , , , ,

Thursday, January 10, 2008

28 questions in the Data Sharing Review

In October 2007 the UKs Prime Minister has asked Dr Mark Walport, Director of the Wellcome Trust, and Richard Thomas, the information commissioner, to conduct a review of the framework for the use of information in the private and public sector.

There have just published, on the Justice Ministry web site the 28 questions they wish to gain public and expert views on.

The terms of reference are to:
* consider whether there should be any changes to the way the Data Protection Act 1998 operates in the UK and the options for implementing any such changes
* provide recommendations on the powers and sanctions available to the regulator and courts in the legislation governing data sharing and data protection
* provide recommendations on how data-sharing policy should be developed in a way that ensures proper transparency, scrutiny and accountability

I think this is an important area for public debate and development and shouldn't just be a knee jerk reaction to recent high profile data losses. I would encourage everyone with an interest to participate.

Labels: , ,