Listen
Privacy principles to improve public confidence
31/08/2009
Public sector organisations should avoid creating large centralised databases of personal information and keep clear audit trails of how identity data is used, under new proposals published today.
The Scottish Government is consulting on Identity Management and Privacy Principles that aim to raise confidence in the management of personal data. Draft principles include:
- Proving identity or entitlement: people should only be asked for identity when necessary and they should be asked for as little information as possible
- Governance and accountability: private and voluntary sectors which deliver public services should be contractually bound to adhere to the principles
- Risk management: Privacy Impact Assessments should be carried out to ensure new initiatives identify and address privacy issues
- Data and data sharing: Organisations should avoid creating large centralised databases of personal information and store personal and transactional data separately
- Education and engagement: Public bodies must explain why information is needed and where and why it is shared
Finance Secretary John Swinney said:
"Public services which store and manage people's identity information must respect the privacy of individuals. Recent incidents where data has not been treated with due care are regrettable and avoidable. I want the public to feel confident that data is secure and their privacy is safeguarded.
"These guiding principles are aimed at everyone who is responsible for complying with requirements to protect personal information. The principles are important and relevant to a wide range of public sector staff, both those who deal directly with the public and also staff involved in designing and operating systems.
"This is about embedding principles and instilling further confidence in public services. I want a range of staff across the Scottish public sector and beyond to engage with us and help refine these draft principles to ensure Scottish public services are effective and secure."
Ken Macdonald, Assistant Information Commissioner for Scotland, said:
"The Information Commissioner's Office (ICO) welcomes this initiative of the Scottish Government. At the ICO we urge all public bodies to ensure that data protection is treated as an important part of corporate governance. Safeguarding personal information must be embedded in organisational culture and no public body should be taking risks with Scottish individuals' personal details."
The consultation closes on November 23, 2009.
In September 2008 the Scottish Government announced a short life expert group to develop draft principles on identity management and privacy for public service organisations. The expert group met between October 2008 and March 2009. Its members were:
Jerry Fishenden, Lead Technology Advisor, Microsoft UK Gus Hosein, Privacy International Rosemary Jay, Partner at Pinsent Masons LLP Alan Kirkwood, Chair of SocITM Scotland Ken Macdonald, Assistant Information Commissioner for Scotland, Information Commissioner's Office Duncan Macniven, Registrar General for Scotland.
Charles Raab, Professor Emeritus and Honorary Fellow, University of Edinburgh
The work to develop the Principles has been commended by counterparts in Europe such as Irish Data Protection Commissioner Billy Hawkes and the Dutch Commissioner Jacob Kohnstamm.