People are often asked by public service organisations to prove that they are who they say they are - either to prevent fraud or to show that they are entitled to receive a particular service or benefit, for example, free medical treatment.
People want to know that public authorities and other organisations respect their privacy and recognise the harm which may be done if personal information is collected or held unnecessarily, or is lost or misused.
The Scottish Government published Identity Management and Privacy Principles that aim to raise confidence in the management of personal data. The Identity Management and Privacy Principles should be adopted by all Public Service Organisations [1] delivering Scottish public services and they include:
- Proving identity or entitlement: people should only be asked for identity when necessary and they should be asked for as little information as necessary;
- Governance and accountability: private and voluntary sectors which deliver public services should be contractually bound to adhere to the principles;
- Risk management: Privacy Impact Assessments should be carried out to ensure new initiatives address privacy issues;
- Data and data sharing: Organisations should, where possible, avoid creating large centralised databases of personal information and should store personal and transactional data separately; and
- Education and engagement: Public bodies should explain why information is needed and where and why it is shared
Identity Management and Privacy Principles
The Identity Management and Privacy Principles were developed for Scottish Ministers by an expert group to help public service organisations comply with data protection and human rights legislation and support good practice.
They are aimed at policy makers and practitioners in public service organisations to help ensure that respect for privacy is central to the way public services require their customers to prove identity or entitlement. The Principles will enable public service organisations to comply with legislative requirements and to achieve good practice.
They have been developed to give guidance on identity management and privacy to public service organisations and they apply to systems, either new or those being redesigned or redeveloped, which involve identity management.
Supported by the Information Commissioner and his office
As an Expert Group member, Ken Macdonald (the Assistant Information Commissioner for Scotland) helped with the production of the Principles. In a statement supporting the Principles (December 2010) Christopher Graham, the Information Commissioner said:
" All organisations handling personal information have a duty under the Data Protection Act to ensure that they handle information appropriately and securely….. By adhering to these principles, the risk of inappropriate disclosure or loss should be reduced significantly."
Background and Reference Documents
The public consultation document, which includes the draft Identity Management and Privacy Principles, resulted in consultation responses from a wide range of organisations and a number of individuals. The Scottish Government considered these responses and published, in September 2010, the Draft Identity Management and Privacy Principles Consultation Analysis Report. After further consideration, we have also published (December 2010) a formal Scottish Government Response to the public consultation, which explains changes between the consultation draft and the current version.
Pages to contain examples, case studies and links to helpful resources
The Scottish Government will seek to publish examples and case studies along with providing links to resources you may find useful. Work will start on this in 2011. The ICO's website is the default place to gain current codes of practice and useful commentary along with core obligations under the Data Protection Act.
Current Version of the Principles
The current version is 1.1. PLEASE ALSO READ AND TAKE NOTE OF THE DATA SHARING CODE OF PRACTICE (STATUTORY), SEE BELOW.
[1]Public Service Organisations: Is a common term used to describe organisations that use public money to provide public services. This can include organisations from any sector (e.g. public, private or third sector).
ICO Data sharing code of practice (STATUTORY)
'The data sharing code of practice is a statutory code which has been issued after being approved by the Secretary of State and laid before Parliament. The code explains how the Data Protection Act applies to the sharing of personal data. It provides practical advice to all organisations, whether public, private or third sector, that share personal data and covers systematic data sharing arrangements as well as ad hoc or one off requests to share personal data.
Adopting the good practice recommendations in the code will help organisations to collect and share personal data in a way that complies with the law, is fair, transparent and in line with the rights and expectations of the people whose data is being shared.' (ICO, 11 May 2011).