![word document [88kb]](../../img/icon_doc.png){kind=icon}
| This document is also available in: An Adobe Acrobat viewer is needed to view PDF documents, and this is freely downloadable from http://www.adobe.com. |
This paper asks how we can best let people know what they can expect from any public sector organisations that process their personal information. It recommends publication of the standards the public sector will adhere to when collecting, holding, using and deleting information about people. The consultation is aimed at the general public, public sector organisations and interest groups in the UK. This consultation does not set out firm Government intentions. It is very much an exercise in finding out what people think about the issues and the results will help us to develop future Government policy. This consultation is being conducted in line with the Code of Practice on Written Consultation issued by the Cabinet Office. It falls within the scope of the Code. The Code criteria set out in the General Principles of Consultation have been followed.
The proposals, if adopted, would apply only to the public sector so would not lead to additional costs or savings for businesses, charities or the voluntary sector. A Regulatory Impact Assessment has therefore not been completed.
Copies of the consultation paper are being sent to government departments, agencies and non-departmental public bodies, local authorities, consumer groups and private individuals.
A questionnaire is included on this website. We would find it very helpful if you completed this, or as much of it as you wanted. We also welcome more detailed comments on any or all of the questions.
Please send your response by 27 June 2003 to:
Carl Pencil
Lord Chancellor's Department
Privacy and Data-Sharing Division
4th Floor
MWB Business Exchange
10 Greycoat Place
London SW1P 1SB
Tel: 020 7960 6509
Fax: 020 7654 3586
Email: Carl Pencil
Representative groups are asked to give a summary of the people and organisations they represent when they respond.
The Department may wish to publish responses to this consultation document in due course. Please ensure your response is marked clearly if you wish your response or name to be kept confidential. Confidential responses will be included in any statistical summary of numbers of comments received and views expressed.
Further copies of this consultation paper can be obtained from Carl Pencil at the above address, e-mail, or telephone number.
In April 2002 the Performance and Innovation Unit (PIU) of the Cabinet Office produced a report entitled Privacy and Data-Sharing: the Way Forward for Public Services. This recommended better use of the personal information collected by public sector organisations to deliver improved services. It also recommended that this would need to be accompanied by building public trust in the way people's personal information was used. The report recommended that all public sector organisations should comply with a Public Services Trust Charter. This document (see Annex A) set out key commitments to be adhered to by the public sector when handling personal data.
The PIU report contained evidence of public concerns about how personal information is protected, particularly with the development of new technologies. The report also showed that people are generally not aware of the current legal safeguards that should ensure personal information is correctly handled. We have therefore developed the charter suggested by the PIU Report to help inform people of their rights and of what they can expect from the public sector.
We have amended the PIU Charter to produce a shorter document (see Annex B) on which we wish to consult much more widely to gauge its effectiveness. Most responses to the PIU report came from people within the public sector. While it is of course vital to have the views of those who would need to abide by any form of charter, we are now particularly interested in hearing from those people whose only experience of the public sector is as a 'customer': the very people for whom the document is intended. In particular, we would like to hear views on:
whether the document proposed is sufficiently clear about what people can expect from the public sector; and
what else the public sector might do to address public concern and improve confidence.
Respondents may want, and are very welcome, to answer questions 1 to 6 only.
There are also more detailed questions on the suggested contents of the document and comparisons with the original draft charter.
To ensure that the document is more than just a set of aspirations, public sector organisations that share personal information to provide services to the public, will need to have in place more detailed documents, available to the public on request, on procedures for dealing with personal information. An indication of what might be included in these documents is included in this paper and comments are also requested on these.1. People are increasingly attracted to the innovative and convenient services offered by the private sector, such as on-line banking and shopping. However, such services were not immediately popular and companies had to work hard to promote confidence in using these methods, and to overcome the fears many people originally felt about sending details about themselves and their finances through cyberspace.
2. In the same way the public sector is rising to meet the challenge of offering greater convenience and increased efficiency through on-line services and better use of information supplied by the public. But it faces an even greater challenge than the private sector to ensure that people are willing to impart information about themselves secure in the knowledge that it will be properly safeguarded.
3. We all accept that if we want to use public services we must provide them with information about ourselves, from simple details like name and address to the potentially sensitive information about medical conditions. We also accept that the state has a duty to prevent and prosecute crime and fraud, and that this may involve access to information about people without getting their consent.
4. Yet the very scale of the amount of information collected by the public sector can lead to fears about a possible erosion of privacy by a 'Big Brother' government. On a more mundane level, some people may have concerns about the efficiency of public sector bodies in safeguarding the personal information they collect and hold. These fears are understandable and often arise from a lack of knowledge about the protections offered by the law. We therefore want to provide people with information on what they can expect from the public sector and what they can do if they are not getting the service they should.
5. In April 2002 the Performance and Innovation Unit (PIU) of the Cabinet Office produced a report entitled Privacy and Data-Sharing: the Way Forward for Public Services. This set out two main objectives: to encourage better use of personal data to deliver improved public services; and to safeguard personal privacy.
6. The report cited a number of studies that show a lack of public trust in the way the public sector handles personal information and concern about the risks to personal privacy arising from the introduction of new technologies.
7. Data protection legislation provides safeguards on the handling of personal information by both the public and private sector, but there is little public awareness of it. While the Data Protection Act 1998 gives people rights and provides them with protection, this is undermined if people are not aware of their rights and do not know how to challenge an organisation that they think is acting improperly. We therefore want to produce a simple, easy to understand document that lets people know about the standards they can expect from organisations that request or hold their personal information and what they can do if they do not think these standards are being met. The Data Protection Act is overseen and enforced by the Information Commissioner. We therefore want to better advertise the Commissioner's role so that people know where to get further information and how to challenge any behaviour they think is wrong. Greater knowledge of data protection principles will thus both empower people and help to reassure them. An extract from the Data Protection Act 1998, listing the principles that organisations must adhere to, is at Annex C
8. The PIU report proposed the publication of a Public Services Trust Charter to be adopted by all public sector organisations that handle personal information. The Charter is shown at Annex A. The Charter set out the main principles of the Data Protection Act, and promised that each service would issue a statement with any request for information, detailing how the organisation applied those principles.
9. Comments were requested on the draft Charter. A full report on the consultation responses has been published by the Lord Chancellor's Department. The response rate was disappointing. There were only 26 responses to the question on the Charter, and only three of these came from private individuals. None of these individuals commented either favourably or unfavourably on the proposed charter. However, the responses were broadly positive with 23 out of the 26 in favour of the introduction of a Charter, believing it would help to improve public confidence.
10. This is encouraging. However, it gives us little indication as to whether the general public would find the Charter helpful, whether it provides the information or assurances they want and whether it would make them feel happier about surrendering personal details about themselves to public bodies. In addition, we believe that the Charter proposed in the PIU report could be shorter, simpler and less technical. We have therefore produced a new draft which translates the set of principles into a list of concrete promises to let the public know what they can expect from the public sector and also what they can do to help ensure information is kept up to date. The revised version is at Annex B and it is this version on which we are now seeking views.
11. The proposed document does not go into any details about how people's information is used and protected. We envisage that while keeping to the standards in the overarching document, organisations would also need to produce service specific statements translating the general terms of the guarantee into concrete ones referring to their area of business. For example, the first promise of the document is that we will tell you 'why we need your information and what we will do with it'. The service specific statement would therefore need to set out the reason for collecting information in brief, easily understandable terms.
12. Many public sector organisations already produce their own service specific privacy statements. An example, used by the Department for Work and Pensions, is shown at Annex D. We believe it would be best for all public sector organisations to adopt the same common statement of standards, as set out in the document at Annex B (backed up by service specific statements), as this will ensure that they are all signed up to providing a certain level of service. However, others might think that a document covering all public sector organisations is unnecessary and that individual service specific statements are sufficient. We are also seeking views on this.
13. We are particularly keen to have the views of members of the public. While everyone is of course a user of public services to a greater or lesser extent, the views of those commenting as employees of public sector organisations are likely to be different from those who only know these organisations from the position of 'customers'. Respondents may prefer, and are very welcome, to restrict themselves to the first six general questions below. The subsequent questions go into more detail on the content of the guarantee at Annex B and of the documents that will be needed to support it.
14. The fundamental questions are whether the document proposed at Annex B gives people the information they need to empower and reassure them; and how else we can let people know about data protection standards. If it seems that this is not the way to let people know what they can expect, or that it can be only partially effective in doing so, we will need to consider other methods. We would welcome views on what other ways we might use to publicise the standards governing how personal information is handled.
15. We have also considered whether to change the name of the document from 'charter' to 'guarantee'. This is a word that implies a strong level of certainty that the promises will be honoured. Charters tend to contain aspirational standards. The intention with the promises given in the document is that public sector organisations should look to fulfil them 100%. Various other names have been suggested for the document such as statement of confidence, promise, commitment, privacy policy.
| Q1 Do you strongly agree, agree, disagree, strongly disagree or have no opinion on the following statement: "The document shown at Annex B tells me what I need to know about the way the public sector handles my personal information." |
| Q2 Do you strongly agree, agree, disagree, strongly disagree or have no opinion on the following statement: "The document at Annex B is clear about what I can expect and easy to understand." |
| Q3 Do you strongly agree, agree, disagree, strongly disagree or have no opinion on the following statement: " the document at Annex B makes me feel more confident about the way the public sector handles my information" |
| Q4 Do you have any further views about ways to let people know the standards the public sector should meet when handling personal information? |
| Q5 In your view, should public sector organisations provide: (a) one common statement on information handling; or b) separate service-specific statements? Or c) do you have no opinion? |
| Q6 In your view, which name would be most appropriate for the document: a) guarantee; b) charter; c) commitment; or d) other? |
16. In revising the PIU report's charter, we have tried to balance simplicity and plain English against the need to give the public as full a picture as possible of how their personal information will be handled. We have also tried to avoid over-loading the document with information, but have instead set out what further information is available on request. At the same time we have attempted to produce a meaningful document that reflects the main data protection principles and to avoid producing an anodyne document that is easy to read but says little.
17. It can be difficult to strike the right balance between simplicity and sufficient detail. The draft charter in the PIU report lists the occasions when information can be processed without the subject's knowledge: "for purposes such as national security, public safety, statistical analysis, the protection of the economy, the prevention of crime or disorder, the protection of health or morals, or the protection of the rights and freedoms of others". Many respondents to the consultation were puzzled about this list, particularly by terms such as 'protection of morals' which they felt were too vague. The list comes from Article 8 of the European Convention on Human Rights. However, it takes this list out of context and does not explain that these are occasions when privacy might be curtailed, but only if it is both necessary and proportionate, and if the law allows it. A balance also has to be drawn between how information should be protected under the Data Protection Act and how it might be capable of being passed on under the Convention. These are complicated matters and going into detail about the Convention, without explaining the added protection of the Data Protection Act, would not be possible in the charter. At the same time, to quote from the Convention, without explaining the source, has been shown to be unhelpful and misleading. We therefore propose that the guarantee should give only two examples of when information might be passed on: to prevent and detect crime. A supporting code of practice should then explain in detail, and with reference to the relevant legislation, when the right to privacy can be curtailed. However, it might be argued that to give only two examples on the guarantee is misleading. We are therefore seeking views on this.
| Q7 Where data is shared without consent do you agree that: a) the document at Annex B should detail all the circumstances when this might happen; b) only the supporting documents should detail all the circumstances when this might happen, Or c) do you have no opinion? |
18. Some respondents to the consultation on the PIU charter felt it lacked detail. For example, on the subject of consent, the charter does not say how data controllers (those who collect and use personal data) will gain the consent of data subjects (the providers of personal information); the nature of 'informed' consent; how long the consent will last; how to gain consent if information is given by a third party, and the position on gaining the consent of particular categories of people, such as children.
19. We have not attempted to include this detail since to do would produce a long, highly detailed document, and therefore one that is unlikely to be read. Instead we have specified what other information is available, referring to the organisation's Code of Practice and management guidance on information handling and any data-sharing protocols it may have. This gives the public a better idea of the information that they can request, demonstrates that the document is backed up by more detailed documents, and also ensures that to comply with it, public services need to produce the supporting documentation.
20. Some respondents also felt that the Charter should refer more explicitly and in greater depth to the underpinning legislation. The guarantee proposed at Annex B is intended to be a high-level document and, for reasons of readability, we have not done this. Each organisation's supporting documents, in particular the Code of Practice, will need to include this detail.
| Q8 Do you strongly agree, agree, disagree, strongly disagree or have no opinion on the following statement:? "The document at Annex B contains enough of the main principles of the Data Protection Act 1998?" |
| Q9 If you disagree with question 8 - what else should be included? |
21. We have tried to avoid making any promises that it will be difficult to keep. For example, the draft charter promised that decisions would only be made on the basis of reliable and up-to-date information. This is unrealistic. The Data Protection Act places a duty on data controllers to 'take reasonable steps' to ensure the accuracy of the data. Organisations could explain how they do this in their supporting documents. However, the data subject must assume some of the responsibility in this area, particularly in letting the data controller know promptly about any changes in information, such as a change of address. We have therefore included a section letting people know what they can do to help.
22. We have sought to avoid any ambiguities in wording that might lead the public to think that they may be entitled to more information than is the case. The PIU charter says that a service specific privacy statement will let the public know 'who' will see their information. It is possible that some may take this to mean that individuals with access to the information will be named. This would clearly be impractical, especially in large organisations, and would not be of any real benefit to the data subject.
| Q10 If you are an employee of a public sector organisation, do you strongly agree, agree, disagree, strongly disagree or have no opinion on the following statement: "the document at Annex B is realistic"? |
| Q11 If you disagree with question 10 - please explain. |
23. We propose that the guarantee proposed at Annex B should be adopted and adhered to by all public organisations that collect personal information from the public. This will include government departments and their agencies, non-departmental public bodies and local authorities. Any of these organisations using sub-contractors to deliver services will also need to ensure that the sub-contractors can meet these standards. It would be unacceptable to allow some public services to provide no, or diluted, guarantees.
24. If we adopt a common statement we will need to promote it by including it on public sector organisation websites and displaying it in public offices. We propose that it should also be made available, on request, in Braille, large print, and ethnic minority languages to ensure the widest possible accessibility. We have included a logo on the document at Annex B to indicate that all public sector organisations are signed up to a common level of service. The Information Commissioner's Office produced the information padlock logo to alert people to the fact that their information was being collected. The padlock could appear on the websites of all public organisations next to any request for information. Clicking on the logo would then bring up the common guarantee and a service specific privacy statement.
25. If personal information is requested by letter or e-mail, the service specific privacy statement should be enclosed or attached. When someone gives information in person, he or she should be given a copy of it. It is more difficult to bring the guarantee or the organisation's service specific statement to the attention of someone who is supplying information over the telephone. The most sensible solution would usually be to advise the person why their information was wanted and that it would be handled correctly according to a guarantee which could be sent to them if they wished.
| Q12 Do you strongly agree, agree, disagree, strongly disagree or have no opinion on the following statement: " the consultation document proposes the right methods for bringing the guarantee and service specific privacy statement to the attention of the public, in particular to those people who are asked to provide information?" |
| Q13 If you disagree with question 12 - please explain. |
26. The PIU report recommended that the charter be supported by Codes of Practice, Management Guidance and - where appropriate - Data Sharing Protocols. In order to comply with data protection legislation, most public sector organisations already have such background documentation, for example, advising staff on correct handling of information. However, it is particularly important that organisations that take part in data-sharing to provide services to the public have rigorous data handling procedures in place and can demonstrate this through their supporting documents.
27. We have looked at some of the existing documents to better understand current practice. This will enable us to identify and encourage best practice. We plan to produce detailed guidance on each of the documents at a later stage. At present, we are seeking views on the main subject headings that should be included in them.
28. We do not want to produce simply a layer of bureaucracy that will force organisations to produce extra documents unnecessarily. We do not therefore propose to produce rigid templates and expect all organisations to follow them. Many organisations will have perfectly adequate codes of practice and management guidance, even if they are not in the form suggested here, and even if they are spread over more than one document with different titles. (For example, instead of one document on management guidance, an organisation might have a manual telling staff how to apply data protection principles, as well as a separate security manual and separate guidance on ensuring accuracy of data. It would not then be necessary for that organisation to produce a new manual bringing those elements together.)
29. It would also be unrealistic to try to produce templates that were appropriate for all. Different organisations will need to produce very different documents to reflect differences in the work they do, the scale of their operations, and the nature and reasons for any data-sharing they do.
30. However, we do want to provide as much help as possible, particularly for smaller organisations, which might lack detailed documentation and have scant resources to produce it. Local authorities, for example, are keen to improve their services by greater use of data-sharing and, if they do this, it is envisaged that they will need to produce data-sharing protocols. However, it would be a waste of resources if they were all to work in isolation on producing such documents from scratch. Comments on the following guidelines are therefore welcomed particularly from such organisations.
31. Codes of practice are encouraged in the 1995 EC Data Protection Directive and in the UK Data Protection Act. The Information Commissioner takes a role in endorsing codes of practice, publishing guidance on compliance with the Data Protection Act, and calling for a code of practice to be developed, if necessary. Codes aim to ensure the implementation of a high-level commitment to privacy protection by defining the standards to be met by an organisation and its staff; and setting out the steps of how these standards should be met. A Code of Practice should promote openness and transparency, consistency across services, and accountability.
32. A skeleton Code of Practice is shown at Annex E, in the form of a list of headings and sub-headings. Some organisations will need to place a much greater emphasis on some sections than others and some will want to contain additional information.
| Q14 Do you strongly agree, agree, disagree, strongly disagree or have no opinion on the following statement: "the suggested Code of Practice includes all the necessary headings?" |
| Q15 If you disagree with question 14 - what else should be included? |
| Q16 If you think any of the headings in the Code are unnecessary, please state which one/s. |
33. It is envisaged that Data-sharing protocols will need to be produced jointly by organisations exchanging personal information to provide public services. These should assist data-sharing by building trust between participating organisations and ensuring that each is working to agreed standards. The protocols will draw on the Codes of Practice of each of the organisations involved. Further, they will need to define and allocate responsibilities, and agree processes.
34. Data sharing takes place for many different reasons. For example:
to improve services, such as health care;
to provide joined-up services, e.g. by local authorities;
to aggregate information to produce statistics;
It can also take place, to the extent that it is necessary and proportionate and lawful, to prevent and detect crimes, such as fraud. It also takes place in different ways; for example, one way, two way or multi-way sharing.
35. It would be impossible to suggest a model protocol that could encompass these different types of data-sharing, taking account of different capabilities, needs and methods of different organisations, of different sizes, purposes and resources. Each organisation will need to produce a protocol according to the type of data-sharing that is taking place. Nevertheless, we will be producing guidance on what the different types of protocol should include.
36. At Annex F is a suggested skeleton for a generic protocol. As with the suggested Code of Practice, some data-sharing partners will need to include additional information and to emphasise certain aspects.
| Q17 Do you strongly agree, agree, disagree, strongly disagree or have no opinion on the following statement: "the proposed Data Sharing Protocol includes all the necessary headings? |
| Q18 If you disagree with question 17 - what else should be included? |
| Q19 If you think any of the headings in the Protocol are unnecessary, please state which one/s. |
37. Management Guidance is each organisation's manual for staff on the day-to-day use of data. While intended largely for staff, we believe it should be available to the public since it will show how the principles of the Code of Practice are translated into action. It will also demonstrate that standards on data handling are built into the job descriptions of relevant staff. At Annex G is a document showing suggested subject headings for Management Guidance.
| Q20 Do you strongly agree, agree, disagree, strongly disagree or have no opinion on the following statement: "the attached Management Guidance includes all the necessary headings? |
| Q21 If you disagree with question 20 - what else should be included? |
| Q22 If you think any of the headings in the Guidance is unnecessary, please state which one/s. |
38. Complaint procedures will need to be referred to in Codes of Practice, Information Sharing Protocols and Management Guidance. It is essential that people know what they can do if they think an organisation is not acting correctly, or not complying with the charter, and that means that fair, rigorous and effective complaints procedures must be in place. We therefore plan to produce separate guidance on this. The size of an organisation, in particular, will affect its complaints procedure. However, some aspects, such as an independent right of appeal, and referral to the Information Commissioner, should be common to all. A suggested outline for a generic complaints procedures is shown at Annex H.
| Q23 Do you strongly agree, agree, disagree, strongly disagree or have no opinion on the following statement: "the proposed complaints procedure contains all the necessary elements? |
| Q24 If you disagree with question 23 - what is required? |
39. The supporting documentation could be placed on public sector organisations' websites so that anyone who wished to could view them in that way. If someone requests a hard copy, our view is that each of the supporting documents should be available to the public free of charge. If so, the guarantee should state this. There should not be any substantial administrative cost in providing copies of the supporting documentation, which should be readily available in each organisation. Nevertheless, it may be reasonable to allow organisations the discretion to charge a small amount to cover actual disbursements, such as the cost of postage and packing. Imposing a charge also helps to discourage frivolous requests. If there is, or may be, some charge, the guarantee should clearly state this.
| Q25 Do you think the supporting documents
should be: a) free of charge b) available for a fee to cover the organisation's costs c) no opinion |
| Box 6.2: Draft Public Services Trust Charter - for
consultation This Charter sets out the standards of service that you can expect from public services in the way they handle personal information. WHAT YOU CAN EXPECT FROM US In observing the Data Protection Act, public services will aim to ensure that the following principles apply in handling personal information: Overall Principles
The principles apply to personal information which we hold both on computer and in some paper records. Service-specific Privacy Statements Wherever we request personal information from you, we will publish a Privacy Statement for that service which will set out clearly:
We will also tell you:
|
|
||||
They are an enforceable set of eight good practice rules for the handling of personal data. They form the core of the protection given by the Data Protection Act 1998. Everybody processing personal data must comply with them. They require personal data to be:
processed fairly and lawfully;
processed for limited purposes;
adequate, relevant and not excessive;
accurate;
not kept longer than necessary
processed in accordance with individuals' rights;
kept secure;
not transferred to non-EEA* countries without adequate protection.
* The European Economic Area comprises the 15 Member States of the EU together with Iceland, Norway and Liechtenstein.
| The Department for Work and Pensions (DWP) collects information for social security, child support, vaccine damage, employment and training purposes. The information we collect about you will depend on the nature of your business with us but may be used for any of the Department's purposes. We may check information provided by you, or information about you provided by a third party, with other information held by us. We may also get information about you from certain third parties, or give information to them, to check the accuracy of information, to prevent or detect crime, or to protect public funds in other ways, for research and statistical purposes, as permitted by law. These third parties include other government departments, local authorities, and private sector bodies such as banks and organisations that may lend you money. We will not disclose information about you to anyone outside DWP unless the law permits us to. DWP is the Data Controller for the purposes of the Data Protection Act. If you want to know more about what information we have about you, or the way we use your information, you can contact any of the Department's offices and ask for the leaflet GL33. Or you can find a copy of the leaflet on our website. The address is www.dwp.gov.uk. |
To protect your privacy
Legislation: To ensure compliance with Data Protection Legislation:
The Data Protection Act 1998 - the eight principles, and the data subject's rights;
any other service specific legislation, e.g. prohibiting data-sharing
To set procedures and standards that the service user can expect from staff.
Members of public
Employees/staff
Anyone from whom personal data may be requested
To meet the needs of our service users
When you give us information about yourself we keep a record of your personal details to reduce the number of times we need to ask you to repeat them
We may share information with other organisations with your consent e.g.:
to tell you about services close to where you live
to supply joined-up services
To see if our service is effective & efficient
For research purposes
For staff training purposes to improve our service to you
We may share information with other organisations without your consent:
If we are required to by law
For crime prevention and detection purposes
In the interests of national security
Whether you have a choice about providing us with information
The nature of informed consent and how we obtain it (including any special types of consent e.g. involving children, the mentally incapacitated)
Any time-limits on consent - will we renew the consent regularly or at particular stages
Occasions when we can require information from you without your consent
Obtaining your consent to pass on your information to other organisations
Occasions when we can pass on your information to other organisations without requiring your consent
Personal data obtained for one purpose should not be used for an incompatible one
Only authorised data users access/process the data when they need it for specific purposes
Staff have a duty to keep information about you private
Unauthorised disclosure or misuse of personal data may lead to disciplinary action
We provide training to staff to make them aware of confidentiality issues
Storage of data is safe and secure
Our policies and procedures are regularly audited
When we disclose personal data we release only as much information as is necessary for the purpose
Anonymisation of personal data for statistical purposes
How personal data is checked, cleansed, corrected, validated and analysed
A named person will assume overall responsibility for implementation of security procedures
Electronic security provisions, e.g. use of passwords, restricted access, encryption
Security provisions for manual records, e.g. storage
Staff training
Staff are made aware of legal penalties that may apply to wilful wrongful disclosure
Regular audits to monitor security procedures and review if necessary
Information will be kept no longer than necessary
Personal data will be kept on our records for -------- time and then deleted by authorised staff
Occasions when information may not be deleted
Under the Data Protection Act you will usually have the right to see information we hold about you.
Exceptions to subject access rights
We will/may charge a fee for this service, £---
We will aim to respond to your request within 40 days
Contact details of e.g. Data Protection Officer
What should your request for information contain? E.g. full name, address, enclose payment etc…
Check that the details we hold about you are accurate and up to date
Requests to amend information we hold about you need to be put in writing and addressed to …
We aim to make the necessary amendments in compliance with our service user care standards, e.g. undertaking to correct information in 10 days
What happens if someone wants to complain about our handling of a subject access request?
Complaints procedure [see Annex H]
Right of appeal
Review of procedures and practices in line with justified complaints
Full contact details
Regular review of:
Procedures
Complaints
This Code of Practice
First point of contact for queries etc, e.g. Data Protection Officer
Chief Knowledge Officer's name and full contact details
Further contacts and useful websites, e.g. www.dataprotection.gov.uk
List the organisations involved in sharing data
Describe what they do
Role and responsibilities of any agents or contractors to the partners
Reasons for data-sharing e.g.:
crime prevention, reduction and detection; and/or to ascertain the effects of crime on the community
to provide better, joined-up local services
to collect statistical information to analyse trends
The Data Protection Act
Data-sharing gateways
If data-sharing is with the consent of the data subject only, how consent will be obtained
Case by case requests for information
Block data-sharing between partner organisations
Responsibilities of the parties (partners)
Designated officers: role, responsibilities, and full contact details. The Chief Knowledge Officer
Explain how accuracy of shared data will be maintained and partner organisations informed if inaccuracies come to light
Each organisation involved is subject to its own Code of Practice.
Describe the security procedures necessary to ensure that the security of information is maintained during the exchange process
Highlight any differences between partners' complaints procedures
Establish how complaints touching more than one of the partners should be dealt with
Establish how to deal with breaches of the protocol by any of the partners
Referrals to Information Commissioner
Staff training to promote awareness of their responsibilities when handling and exchanging information
Regular reviews of procedures and protocols
To ensure all employees effectively process and manage data within set standards, to protect the privacy of individuals, and to comply with the principles and requirements of the Data Protection Act 1998.
Other relevant service specific legislation, e.g. prohibiting sharing of personal data
Line managers' must interpret this policy and the associated controls in their areas of responsibility
Line managers must ensure staff reporting to them are made aware of their responsibilities and standards to be met in carrying these duties out
Individual employees to apply the controls as agreed with their Line manager within the requirements of office standards
Duties and standards on data protection to be included in job descriptions of relevant staff and their managers and assessed at regular job appraisals
The Chief Knowledge Officer /Records Management Officer to monitor the accuracy and effectiveness of the data protection controls across the department.
Requests must be from an individual
Requests must be made in writing (includes e-mail)
Fee required
Exemptions/reductions
Methods of payment
Action to take if insufficient information
Time limit on replying to request (i.e.. 40 days starting on the day the request was received, or less)
Reasons for not complying with request
Alternative arrangements (e.g. access to registry)
Right of appeal, if dissatisfied
Queries on confidentiality policy to be referred to (named person)
When and where staff can get legal advice
Retain copies of requests made and responses sent
In accordance with Code of Practice
Only authorised data users should access/process the data when they need it for specific purposes
Data held must be kept confidential (telephone, written and electronic)
Storage of data must be safe and secure
Nobody should handle personal information without training on confidentiality issues first
Procedures will be regularly audited
Unauthorised disclosure of personal information or misuse of information may lead to disciplinary action (see disciplinary section)
Dealing with requests for disclosure of personal information from other organisations:
Disclosure with consent
Disclosure without consent e.g. to prevent crime and trace those responsible e.g. fraud offences.
Queries on confidentiality policy to be referred to (named person)
When and where to obtain legal advice
How to ensure accuracy of data held e.g. data matching, up-dating exercises (state office standards e.g. for accuracy and time taken to make amendments)
(As in Code of Practice)
Protect personal information from unauthorised disclosure or interception
Security procedures for manual and electronic records
Audit trails
Non-compliance with the security policy may lead to disciplinary procedures
Deletion schedules
Procedures for part deletion of data e.g. shave files down to basic details such as: name, date of birth, gender, history of contact, outcome (data could become anonymous and held to be used for statistical purposes)
- (see complaints Annex H)
Complaints procedure
What is a complaint?
Time standards for acknowledgement and reply
Quality standards for writing a letter in reply to a complaint
Assessing redress / compensation
Dealing with verbal complaints, e.g. by phone
Learning from complaints
Changing policies/procedures as a result of complaints
Adhere to the data-sharing protocol
Standards for replying to requests for information from partner organisations
Disciplinary action may be taken against any member of staff who does not fully adhere to organisation's privacy policy through:
unauthorised access of data
unauthorised disclosure
unauthorised use of data (e.g. not for reason given to data subject)
not adhering to the organisation's Code of Practice and data-sharing protocols, and Management Guidance
Disciplinary procedures
Right of appeal
Further advice and contact details
Internal contacts: senior officers, Chief Knowledge Officer
External contacts e.g. Information Commissioner
Complaints can be made by members of the public, any authority or organisation
A service provider need not assume a complaint e.g. a person points out an error in the information held about their details
Complaints Procedure to be quick, simple and perceived to be fair
It must be accessible. Tell service users what the complaints procedure is, how they can find out about it and how to make a complaint.
Oral and written complaints. While written complaints may be encouraged, oral complaints should be treated seriously and registered as complaints.
Publish a time limit (e.g. 21 days) within which the complaint will be dealt with and a response sent to complainant
In the reply letter:
Set out what the complaint is to ensure shared understanding
Explain the steps taken to investigate the complaint
Explain what has been taken into account in determining the complaint
Give the outcome with reasons
Explain any compensation if the complaint was successful
Explain any right of appeal if the complaint was unsuccessful or partially unsuccessful or compensation was claimed and has been denied.
Explain any internal remedial action to be taken to avoid similar complaints in future
If the complainant is unhappy, explain to whom they may appeal within the organisation
Give name/ position/status/full contact details
Explain complaint will be determined by e.g. Chief Knowledge Officer (senior person someone who can influence remedial action within the organisation)
Explain that the investigator of the complaint will be independent from those involved in the event and in the initial investigation
Explain what further steps the person can take if still dissatisfied with the outcome of the complaint. This should be to someone independent of the organisation e.g. the Information Commissioner, the Parliamentary Commissioner for Administration, any relevant Ombudsman.
If, due to data sharing, a complaint involves more than one organisation, it should be determined in advance which organisation should deal with it.
If a complaint is transferred to another organisation, the first organisation should:
tell the complainant where it has been sent
Let the complainant have a copy of the second organisation's complaints procedure and point out any significant differences, e.g. in time for reply
Let the complainant know when they can expect to have a full reply
If the complaint involves more than one organisation, the determining organisation will need to arrange for the other organisation to investigate its area of responsibility, contribute to the determination and agree a draft of the substantive response
All front-line staff and any who are likely to have to deal with complaints in person, by telephone and in writing should have full guidance and training
Internal guidance should make clear to staff that complaints are constructive events, which help the organisation ensure good service to the public.
If you have any complaints or comments about the consultation process, you should contact the Lord Chancellor's Department's consultation co-ordinator, Laurence Fiddler, on 020 7210 2622 or email him at Laurence Fiddler. Alternatively, you may wish to write to the address below:
Laurence Fiddler
Consultation Co-ordinator,
Room 8.23
Lord Chancellor's Department
Selborne House
54-60 Victoria Street
London SW1E 6QW
The criteria in the Code of Practice on Written Consultation issued by the Cabinet Office is as follows:
Timing of consultation should be built into the planning process for a policy or service from the start, so that it has the best prospect of improving the proposals concerned, and so that sufficient time is left for it at each stage.
It should be clear who is being consulted, about what questions, in what timescale and for what purpose.
A consultation document should be as simple and concise as possible. It should include a summary, in two pages at most, of the main questions it seeks views on. It should make it as easy as possible for readers to respond, make contact or complain.
Documents should be made widely available, with the fullest use of electronic means (though not to the exclusion of others), and effectively drawn to the attention of all interested groups and individuals.
Sufficient time should be allowed for considered responses from all groups with an interest. Twelve weeks should be the standard minimum period for a consultation.
Responses should be carefully and open-mindedly analysed, and the results made widely available, with an account of the views expressed, and reasons for decisions finally taken.
Departments should monitor and evaluate consultations, designating a consultation co-ordinator who will ensure the lessons are disseminated.
![pdf [259kb]](../../img/icon_pdf.png){kind=icon}
