Introduction
This document is the post-consultation report for the consultation paper, For your information: how can the public sector provide people with information on, and build confidence in, the way it handles their personal details? It will cover:-
the background to the report
a summary of responses to the report
a detailed response to specific questions raised in the report
the next steps following this consultation
Further copies of this report can be obtained by contacting Carl Pencil at the address given below:
Carl Pencil
Department for Constitutional Affairs
Information Rights Division
MWB Business Exchange
10 Greycoat Place
London
SW1P 1SB
Telephone: 020 7960 6509
E-mail: Carl Pencil
Background
The consultation paper "For your information: how can the public sector provide people with information on, and build confidence in, the way it handles their personal details?" was published on 3 April 2003. It invited comments on how best to let people know what they can expect from any public sector organisations that process their personal information. It recommended publication of a document setting out the standards the public sector adheres to when handling people's personal data.
Copies of the consultation paper were sent to government departments, agencies and non-departmental public bodies, local authorities, consumer groups and private individuals. It was also available on the Department's website. A number of public meetings were held in different parts of the UK shortly before and during the consultation process, at which delegates discussed issues around data sharing and protection of privacy, and those who attended were encouraged to complete the consultation questionnaire.
A list of the respondents is at Annex A.
Summary of Responses
1. A total of 182 responses to the consultation paper were received. Of these, 78 were from public sector organisations (45 from local authorities, and 33 from government departments and agencies). 104 responses were received from outside the public sector, of which 60 were from individual members of the public. Figure 1 shows a breakdown of responses by sector. Throughout this paper, references to 'public' responses includes all those from local authorities and government departments and agencies; while private refers to all others, excluding those 11 respondents who did not provide sufficient information to determine their background, and who are therefore only included in overall totals.
2. The large majority of respondents provided answers to all or most of the 25 questions in the consultation paper. About 50% of respondents used the questionnaire provided with the consultation document (Annex C), while some preferred to send written answers only, or in addition to it. A small proportion of respondents sent wider comments about data sharing that were not always relevant to the consultation paper. However, any relevant comments have been included in the analysis below.
3. Joint responses were received from the Data Protection Practitioners Group, representing central government Data Protection Officers, the National Association of Data Protection Officers and the North East Regional Smartcard Consortium, with members from 26 local authorities.
4. While the responses were somewhat mixed, and a number of reservations were expressed, there was a reasonably good level of support for the guarantee: about two thirds of all respondents found it to be useful, clear and easy to understand. The number who thought that it would increase their confidence was lower, although it was still the case that a small majority of the people who responded to this question agreed. Many thoughtful and constructive suggestions were made as to how the proposed guarantee and supporting documents could be amended, how they should be publicised, and other ways of increasing people's awareness of their data protection rights. We have done our best to represent the full range of views in the summaries of responses to individual questions below. We are very grateful to everyone who responded.
Figure 1
Responses to Specific Questions
Many of the questions refer to 'the document at Annex B'. This refers to the draft guarantee that was the main subject of the consultation paper. A copy of this document is at Annex B of this report.
Q.1: The document at Annex B tells me what I need to know about the way the public sector handles my information.
62% of those classified as private agreed that the document told them what they needed to know. This was comparable with the figure for public sector responses of 60%. 23% of all respondents disagreed.
Those who disagreed generally felt that the document needed to contain more details about precisely how their information would be handled, and in particular, the security arrangements. One member of the public said "the public should be given proper information at the time they give their personal information, not told they 'may ask to see it' ".
A common suggestion from public sector organisations was that Annex B should contain, or specifically refer to, the eight principles of the Data Protection Act 1998. Some respondents said that they preferred the original public trust charter (of which this was a revision) as it contained more information: one said that Annex B was "far too simplified". The Law Society respondent thought that the public trust charter offered to supply much more information in the service specific statements than did the guarantee, such as who would see people's information and when it would be deleted. The document at Annex B had changed these promises into more general terms, giving only assurances that nobody would have access to information who should not and that it would not be kept longer than necessary.
Those respondents who agreed that the guarantee contained enough information sometimes commented that it could only contain a limited amount of detail and would need to be backed up by supporting documents. One public sector respondent felt that the "proposals strike a good balance between giving the individual too little (or no) information and burying him/her under a great amount of detail. (Specific information should be available on request but not as a matter of course.)"
Q.2: The document at Annex B is clear about what I can expect and is easy to understand.
Several respondents commented that for the guarantee to be useful, it would need to be informative and easily understood. Over-two thirds of respondents agreed that the document was clearly worded. 20% disagreed and 18% expressed no opinion. While a number of respondents said that the document was written in plain English, the respondent for the Improvement and Development Agency for Local Government was concerned that the most vulnerable in society might not be able to understand all of the issues covered. The Law Society suggested that the guarantee be tested on user panels to ensure it was sufficiently accessible to all. One private individual thought that the guarantee should be re-written by the Plain English Campaign.
Q.3: The document at Annex B makes me feel more confident about the way the public sector handles my information.
Overall 44% of respondents agreed that the document made them feel more confident. An almost identical number of private and public respondents agreed with the statement.
40% of private respondents disagreed (Fig 2). Many of them suggested that a stronger guarantee was needed and that a piece of paper on its own was not worth much: evidence would be needed that it was being complied with. One public sector respondent referred to the "proliferation of bland statements which are unlikely to engage a sceptical public". Many respondents suggested that for the guarantee to command respect, it would need to be backed up by strong evidence that organisations were complying with it. The response from the Information Commissioner's Office typified this idea:
" ...any such statement will only help to build trust if it is more than just a statement of intent. If it is to be a guarantee, or a commitment, the promises given within the draft charter have to be met& If the charter is to be effective therefore there has to be some mechanism to ensure that public organisations comply with it".
| Private | Public |
 |
 |
| Fig 2 | Fig 3 |
A number of respondents suggested that organisations would need to have rigorous audit arrangements in place to ensure that the standards in Annex B were being enforced.
Other respondents would be more reassured if the document let them know how they could access information held on them and that there were easy methods of redress if organisations were found to be not complying with the guarantee. A few respondents would also be reassured if organisations regularly (perhaps annually) sent data subjects a copy of the information held on them for verification.
A number of people suggested that their confidence would be increased if the document included a promise that information would not be sold for commercial purposes, or would not be passed on to commercial organisations without the consent of the individual.
It was also suggested that details of security safeguards and a guarantee that all organisations meet an agreed standard on IT security, would provide reassurance. A number of respondents felt that the use of privacy enhancement technologies would do more to increase public confidence than any written statements.
One local authority respondent thought that although the guarantee might not instil confidence in the public, its existence (and that of the supporting documents) would encourage public sector workers to accord a higher priority to good information handling.
Q.4: Do you have any further views about ways to let people know the standards the public sector should meet when handling personal information.
About a third of all respondents put forward ideas about ways of presenting the standards in the consultation document to the public by other means.
The most common view was that there should be a national advertising campaign, in which information rights, the protection afforded by data protection legislation and the role of the Information Commissioner, could be publicised by leaflets and posters in public areas, such as libraries, schools and Benefit Offices. A few people suggested a wider campaign involving mail shots and newspaper, television and radio advertising. Many respondents suggested that general standards and guidance on information sharing should be made available on public sector websites.
A number of people said that it would be helpful to highlight this sort of information at first points of contact, such as in doctors' waiting rooms or on forms. It was also suggested that a telephone helpline be set up to deal with information rights enquiries.
The Law Reform Committee of the General Bar Council believed that instead of a guarantee or charter, there should be greater promotion of the Information Commissioner and his role in providing independent advice on data-protection, privacy and data sharing issues, by including details of his role and contact details on forms and web sites.
The Data Protection Practitioners Group believed that a guarantee was unnecessary but that each organisation should "show excellence and integrity in personal data sharing by carrying out regular internal audits on how they manage personal data."
Q.5: In your view, should public sector organisations provide one common statement on information handling, or separate service-specific statements?
94 respondents agreed that it would be helpful to have one common statement about data sharing such as that at Annex B, in addition to service-specific statements. While 60 respondents thought that it would be better for organisations in the public sector to provide service-specific statements only.
Of those classified as private individuals, 53% preferred the one common statement approach (Fig 4). On the whole, public sector workers were a little less decided: a quarter expressed no opinion on this question. 46% of them preferred the one common statement and 29% opted for service-specific statements only (Fig 5).
Those who agreed with the guarantee concept sometimes commented that it was important that the whole of the public sector should sign up to the same standards. A fairly common comment of those who favoured having only service specific statements was that a 'one-size fits all' approach was impractical given the enormous variations between public sector organisations in size, resources and functions. Some felt that individual organisations should be able to draw up their own documents, taking account of local conditions.
| Private | Public |
 |
 |
| Fig 4 | Fig 5 |
Q.6: In your view, which name would be most appropriate for the document: guarantee, charter, commitment, other?
The favourite option was guarantee: chosen by a third of all respondents. Overall the second most preferred title was commitment (23%), followed by charter (21%). Guarantee was felt to be the strongest term, most likely to inspire confidence. However, some were concerned that it would, falsely, suggest that the document was legally binding. Some respondents suggested other titles, such as 'promise', privacy statement, privacy policy or pledge. Some thought that the title should contain the word 'rights': for example, "your rights under data protection legislation" or "your statutory rights". A couple of respondents suggested that the document could be called a statement of duty or a statement of the standards organisations will have to meet when they handle personal information.
Q.7: Where data is shared without consent do you agree that the document at Annex B should detail all the circumstances when this might happen, or only the supporting documents should detail all the circumstances when this might happen?
50% of private individuals thought that Annex B should describe all the circumstances when personal information may be shared without letting people know. In contrast, 64% of public sector workers thought that the supporting documents, rather than Annex B, should provide this information.
However, looking at the responses overall, half of all respondents thought that the list of circumstances is better placed in the supporting documentation (Fig 6). For example:
"Annex B provides an overarching statement about information use in the public sector and by its nature it should not detail every circumstance in which personal information may be shared without consent& . The most usual purpose for sharing information without consent is to detect and prevent crime, and the public is sympathetic to this purpose and as such these are the only purposes that should be referenced in Annex B" (Environment Agency).
All respondents
Fig 6
A number of respondents thought that it would be helpful to mention that information could be used anonymously for research purposes.
One public sector respondent believed that the document should not mention data sharing without consent at all, since to do so would diminish public confidence. However, others felt that to avoid detailing all of the occasions when information might be shared showed a lack of transparency. One believed that failure to list them made the document 'a whitewash'.
Q.8: The document at Annex B contains enough of the main principles of the Data Protection Act 1998.
Q.9: If you disagree with question 8, what else should be included?
Over half of all respondents agreed that Annex B contained enough detail about the data protection principles. This is also reflected in the private individual/public sector breakdown, where 51% of both sectors agreed with the statement.
Nonetheless, 35% of private individuals and 44% of public sector employees thought that the document did not have sufficient information about the data protection principles. A number of respondents believed that Annex B should describe, in plain English, all eight of the Act's data protection principles. One feared that if this were not done, public sector employees might come to respect only the promises included in it and not the eight principles in full. Many respondents said that there should be a clear reference to people's right to have access to the information held on them. Some asked for more detail on the 1st principle, and what constitutes fair and lawful processing. All of the other principles were also specifically mentioned by respondents, either because they were missing (such as the 8th principle on not transferring data to non EEA (The European Economic Area comprises the 15 Member States of the European Union together with Iceland, Norway and Liechtenstein) countries) or because respondents thought they were insufficiently emphasised or explained, such as the 4th principle on ensuring data accuracy.
Q.10: As an employee of a public sector organisation, I think that the document is realistic.
Q.11: If you disagree with question 10, please explain.
56% of public sector respondents agreed that Annex B was realistic in its aims. 28% disagreed with this statement.
Those who disagreed were mainly concerned about the practicalities and resource implications of implementing and distributing Annex B and the supporting documents. Some expressed doubts that all public bodies, including very small non-Departmental public bodies, would be able to comply with all of the promises in the guarantee. One local authority respondent summed up this view:
"we believe that this document makes categoric statements that are unlikely to be achievable in practice. As it stands, this document raises unreasonable expectations."
The Data Protection Practitioners Group felt that the document at Annex B went beyond the requirements of data protection legislation since it requires public sector organisations to explain if people do not have a choice about providing information, if they can refuse to have their data shared with another organisation, and when information may be processed without the subject's consent.
A local authority respondent said that it would be particularly difficult to ensure compliance with the guarantee when using contractors. This was also the concern of a respondent from a private company who was afraid that private companies carrying out work for the public sector would be forced to comply with 'restrictive and unnecessary mandates'. A number of respondents believed that the documents proposed in the consultation paper would merely introduce another layer of bureaucracy.
The respondent from the Office of National Statistics (ONS) said that organisations that provided personal information to them could find it burdensome to let everyone affected know this.
Q.12 and Q.13: The consultation document proposes the right methods for bringing the over-arching guarantee and service specific privacy statement to the attention of the public, in particular to those people who are asked to provide information.
Over half of all respondents agreed that the methods proposed in the consultation document, for bringing Annex B and the service specific statement to the attention of the public, were correct
Less than a quarter of all respondents disagreed with this statement. On the whole those who disagreed thought that it was necessary to engage further with the public by undertaking a national advertising campaign. As one respondent pointed out:
"We support all the methods for bringing the Guarantee and Service Specific Statements to the attention of the public as set out in the consultation documents. [However] we also believe that a high-profile nationwide promotion campaign, run by the Government or the Information Commissioner, would greatly enhance public awareness". (Newcastle City Council)
Many respondents agreed that it was a good idea to publish the documents on websites, and one suggested that there could be hyperlinks on the guarantee to the supporting documents. However, as a few respondents pointed out, this would not be sufficient as not all people have access to the Internet. Other suggestions for publicising the guarantee were to use:
individual organisations' publications, such as annual reports
audio tapes
local authority free newsletters
Freedom of Information publication schemes
enclosed with council tax bills/literature
recorded messages on telephones
Others were concerned that the methods proposed were excessive. A few said that there should be some mechanism to ensure that people did not receive several copies of the guarantee or identical or similar service specific statements. Some public sector respondents mentioned the additional burden that the proposed methods might place on organisations. One suggested that the guarantee should be produced and promoted centrally rather than the cost of doing so being borne by individual organisations. A few suggested that service specific statements would not always be necessary: the guarantee would suffice. Some thought it was sufficient to display the guarantee on websites and in public areas but unnecessary to supply paper copies with every request for information.
Q.14, Q.15 and Q.16: The suggested code of practice includes all the necessary headings. If you disagree, what else should be included? If you think any of the headings in the code are unnecessary, please state which one/s.
The consultation paper proposed essential headings for codes of practice on data sharing. 66% of all public sector workers and 58% of private individuals agreed that all the necessary headings were included.
20% of all respondents thought that some essential headings could be expanded upon, or were unnecessary. Many respondents wanted to see a section listing the organisations that would share personal information. Some wanted greater information on the Data Protection Act 1998 as well as references to other information rights legislation, such as the Freedom of Information Act 2000 , Environmental Information Regulations and the common law duty of confidentiality. They also wanted more information about the issue of obtaining consent to supply or share data and reference to the fact that people can withdraw consent at any stage. A couple of respondents suggested that the document should include standards on auditing and compliance monitoring, such as those described in the Information Commissioner's Manual. One respondent commented that reference should be made to the rights of the individual, other than subject access, under the Data Protection Act 1998: the right to prevent processing likely to cause damage or distress (section 10); the right to prevent processing for direct marketing purposes (section 11); the right in relation to automated decision taking (section 12); the right to compensation for any breach of the DPA (section 13); and the right to go to court to seek an order requiring a data controller to rectify, block, erase or destroy inaccurate data (section 14).
There were far fewer responses to question 16. However a few respondents said that the 'report and reviewing' heading was unnecessary.
Q.17, Q.18 and Q.19: The proposed data sharing protocol includes all the necessary headings. If you disagree, what else should be included? If you think any of the headings in the protocol are unnecessary, please state which one/s.
Half of all respondents agreed that the proposed protocol framework included all the necessary headings. Some of these respondents provided supportive comments, suggesting that a common format for data sharing agreements between organisations would be welcome.
However, 40% of public sector workers disagreed in contrast with only 16% of private individuals. Many respondents who disagreed said that it was necessary to explain clearly which members of the public would be affected by the data sharing agreement and who owned the data. They also thought there should be clear and comprehensive descriptions of what data would be shared and with whom. A number of people suggested that the section on the legislative basis for sharing data should be expanded to refer to the individual's right to privacy (Article 8 of the European Convention on Human Rights), the duty of confidentiality and any other relevant legislative powers that enable the sharing of personal information. Four people also pointed out the need to provide definitions for terms such as 'data sharing gateway'. One person suggested that there needed to be a clearer explanation of the purpose and intentions of a protocol.
A considerable proportion of those that disagreed thought that it was important to deal thoroughly with the issue of consent, including an explanation of the procedures for obtaining consent and individuals' rights to refuse information about them to be released to third parties.
One respondent, from a charity, thought that the protocol should make specific reference to data sharing arrangements where the passing of information from one organisation to another was mandatory. The Data Protection Practitioners Group thought it should reflect what the arrangements would be when data sharing took place on an ad hoc basis.
Several respondents said there should be a section on dealing with subject access requests when a data sharing arrangement was in place.
Other possible headings mentioned were:
the anonymisation of data, e.g. for statistical purposes
ISO 17799 compliance (on information security)
the e-government Interoperability Framework (on common methods of recording data)
dealing with classified information
the position of sub-contractors
how the protocol will be enforced
reporting on breaches of the protocol
how data subjects' rights will be protected and guaranteed
agreed fair processing notices
Only 11 people responded to question 19. Four respondents thought that it was unnecessary for the protocol to include a section on training and two people said that they were unsure about the need to mention review of data sharing procedures and protocols.
Q.20, Q.21 and Q.22: The attached management guidance includes all the necessary headings, If you disagree, what else should be included? If you think any headings in the guidance are unnecessary, please state which one/s.
55% of all respondents agreed that the management guidance included all the necessary elements. However 24% of all public sector workers disagreed and 17% expressed no opinion on the subject.
Many of those who disagreed thought that the checklist on subject access requests (SARs) should include more detail on the procedures for processing SARs, for example on verifying the identity of the applicant, and saying who should deal with the requests. Other suggestions were to include information, or further information on:
Audit and review
Best practice on asking people for their personal information
Transfer of data
Reporting breaches of security
Criminal penalties for breaking the Data Protection Act 1988
Dealing with sensitive information
Release of information under the Freedom of Information Act, the Code of Practice on Access to Government Information and Environmental Information Regulations and ensuring it is done in accordance with the Data Protection Act.
Notification to the Information Commissioner on data held and data controllers.
Only 7 people responded to question 22. On the whole these respondents thought that the management guidance was wholly or partly unnecessary since there was a degree of overlap with the code of practice and with existing training manuals. One local authority respondent thought it was unrealistic to expect all staff handling personal information to have training in confidentiality issues. The respondent suggested instead that a confidentiality clause be included in staff contracts (including contracts for temporary staff).
Q.23 and Q.24: The proposed complaints procedures contains all the necessary elements. If you disagree, what is required?
55% of private individuals and 48% of public sector workers agreed that the complaints procedures proposed in the consultation document covered the necessary points. A much smaller proportion of respondents disagreed with the statement: 13% of private individuals and 17% of public sector employees.
This element of the questionnaire was faulty: respondents should have been asked if anything in the proposed complaints procedure was unnecessary, as well as what was missing. Indeed, most of the comments centred on what was unnecessary, with many saying that it was not necessary to develop new complaints procedures specifically on complaints about data handling, since this would be burdensome and many of the elements were already incorporated within existing procedures. One respondent questioned the need for one organisation to explain differences between its complaints procedure and that of data sharing partners. However, a few respondents suggested that the proposed document could be absorbed into any existing complaints procedures and that it would be helpful for organisations to adopt a common format on complaints about data handling.
On what was missing, some respondents said that they would like a much clearer definition of what is meant by a complaint and what this specific type of complaint might cover; for example, a breach of the principles detailed in the Data Protection Act 1998. Several respondents said that there should be a section on redress when a complaint is found to have been justified, covering compensation, damages and redress through the courts. One respondent said that members of staff should know about their own rights to appeal if a complaint is upheld against them. In addition, a respondent from one government department recommended that the document include procedures for recording, monitoring and analysing complaints in order to gauge which areas of information handling require improvements. One respondent suggested there should be a section on treating all complaints equally.
The Information Commissioner commented that the guidance should make clear that the Commissioner was not an ombudsman but a regulator. Although he would undertake an assessment of specific data processing, at anyone's request, to ensure compliance with the Data Protection Act, it would be for him to decide whether or not to take enforcement action.
Q.25: Do you think that the supporting documents should be: free of charge, available for a fee to cover the organisation's costs, or no opinion?
Over two thirds of private individuals and over half of public sector workers thought that the supporting documents should be available free of charge. Less than a third of private individuals and about a third of public sector workers thought that the documents should be made available for a fee. One public sector respondent commented, "I can't help but believe that we should provide supporting documents free of charge - should we go down the route of charging, government bodies could be accused of trying to hide information (i.e. some people may not be able to afford supporting docs)." Those who thought a fee should be charged sometimes commented on the expense to the organisation of producing hard copies of what might be fairly lengthy documents and the need to deter vexatious, frivolous and repeat requests. A number of respondents commented that the supporting documents could be made available on organisations' websites. One respondent mentioned that if a fee were to be charged, this should be made clear on the guarantee.
| Private | Public |
 |
 |
| Fig 7 | Fig 8 |
Further Comments
A number of respondents put forward general observations and recommendations about Annex B. In some cases, these comments could not be easily classified under any of the specific questions above.
Although the consultation was not primarily about data sharing, many respondents, raised concerns about this. A few members of the public said did that they did not feel the document at Annex B was a sufficient safeguard and that the public sector would share personal information regardless of its promises.
Supportive comments were generally that Annex B was clear, easy to understand and helpful. For example, Newcastle City Council and the NERSC (a consortium of 26 local authorities), said that they were generally in support of the document and thought that Annex B and the supporting documents would have the following benefits:
"it will increase public awareness of data used and privacy issues.
It will, over time, increase public trust in how public sector organisations use their personal information
It will improve the awareness among staff of the need to follow a consistent and transparent approach to the use and disclosure of personal information".
Essex and Worcester County Council were more cautious: while both said that they would like to adopt elements of Annex B, they also had fears about the ability of all public organisations to meet the standards in the document.
The Office of National Statistics (ONS) said that the Government Statistical Service (GSS) would not be able to apply Annex B in situations where data was collected for statistical purpose. The GSS is in the unique position of providing unbiased up-to-date information about society and the economy to government, parliament and the business community. It would therefore be ineffective for the GSS to give individuals the choice to volunteer their information and to tell them what information government departments hold on them. They already follow a strict Code of Practice by means of survey specific guarantees. Nonetheless, the ONS said that they were willing to adopt Annex B for the non-statistical collection of data and explained that it could be incorporated into their customer contact service.
The Data Protection Practitioners Group thought that, although the documents referred only to personal information on living people, some provision should be made for the protection of information on deceased people to avoid harm or embarrassment and to comply with the duty of confidentiality. They also thought that the guarantee (as well as the supporting documents) should cover the situation where information is volunteered, rather than being requested.
Four respondents, The Law Society, one member of the public, Essex County Council and The Constitution Unit produced their own versions. Some of their suggestions are taken into account below, as are those of the many other respondents who suggested amendments:
Change the wording of Annex B, so that it refers throughout to 'your information', since the supplier of data retains ownership over it.
Remove the word 'will' in the heading and throughout so that it reads in the present tense 'This is how we look after that information' (to avoid suggesting that the guarantee applies only to fresh collections of data and not what is held already).
Include the word 'promise' in Annex B: "When we ask for
personal information,
Re-word bullet point four to read 'Let you know if we need or intend to share personal information with other organisations'. (Or delete 'need to'.)
Add to bullet point five to read "make sure we don't keep it any longer than necessary and tell you how long that will be".
Bullet point six (in return, we ask you to give us accurate information) was seen by some respondents as inappropriate: it could imply that the onus is on the public to ensure records held on them are accurate, rather than on the data controller. Include, instead, a promise to ensure information is reliable and up-to-date
Change 'At any time you can ask us for further details..' to 'we guarantee to provide details...' (Or delete 'at any time', which suggests a 24 hour, seven days a week service.)
Be more precise about where the further details are available and how to obtain them.
Include a statement saying "Before we ask you to give personal information we will have prepared and published a privacy statement which we will copy to you on request'
Add that public organisations will not ask for irrelevant or excessive personal information.
Add a sentence about subject access rights, correction of anything inaccurate or misleading and how to make a complaint.
Add a promise that we will ask consent before sending any promotion or marketing material.
Add a guarantee that we will not sell data to commercial organisations
Include reference to the fact that information may be held on computer or on paper
Include contact details for the Department for Constitutional Affairs in case people want to raise questions about the standards set out in the document.
A few people thought that the padlock logo on Annex B could be confusing, as this was an Internet symbol for secure websites and might therefore not be appropriate on a paper document.
Conclusion
Responses to this consultation exercise revealed many opposing and sometimes contradictory views. While some saw the proposed guarantee/charter as containing too many promises that it would be hard to keep, others thought it should go much further. While some found the document over-simplified, others thought it would not be easily understood. And while some thought the document did not contain enough information on data protection, others thought that a much shorter one would be more likely to be read. These differences were not always along a public sector / members of the public divide: indeed, it was notable that the public/private split was not that significant for the majority of questions.
Overall, there was support for the concept of a guarantee (the most favoured name) that would let people know their rights in a simple, easy to understand form. There was also support for a common guarantee applying across the public sector, with local differences being reflected in organisations' own documentation and information leaflets. We will therefore go ahead with development of the guarantee, but more work will need to be done to ensure we take account of opposing concerns and reconcile them as far as possible.
We will therefore revise the guarantee, taking account of many of the helpful suggestions put forward in this consultation exercise and working closely with stakeholders. We will aim to produce a document that is both robust and not a dilution of the Data Protection Act - with which all public authorities should already be complying - but does not go beyond it. We will carefully consider, with stakeholders, whether any other of the data protection principles should be included in the guarantee or further highlighted. The consultation response strongly suggests that clearer reference should be made to people's right to access to information held on them. However, we do want to avoid producing something that is too long and contains provisions that could seem irrelevant to many people (such as the 8th principle) or that would be difficult to explain in brief (such as the 1st principle).
We will also consider very carefully the suggestions respondents made about the elements they thought necessary in the guarantee to inspire confidence.
Opinions were split on whether the guarantee should list occassions when data may be shared without consent. Overall, we do not think it is helpful to quote a section of the European Convention on Human Rights out of context and without any explanation. To simply say that data might be passed on, for example, for 'the protection of the economy' or 'the protection of health or morals', is likely to raise more questions in most people's minds than it would answer.
We will consider the suggestions on how else the information conveyed in the guarantee could be conveyed to the public to obtain maximum impact. However, while an advertising campaign could help raise awareness, we believe that people are most likely to pay attention at the point when they are being asked to give personal information about themselves and so data protection is of immediate relevance.
We will discuss with stakeholders the best way of implementing the guarantee to ensure maximum compliance by the public sector and the most practical ways of bringing it to people's attention without drowning them under a sea of paper. This will partly rely on the use of websites, but we will also take care not to exclude those who are not able, or do not wish, to use the Internet.
We are pleased that a relatively high proportion of respondents thought the guarantee was clear and easy to understand. We will work with the Plain English Campaign to ensure the guarantee is easily understandable and will also work to ensure accessibility to as many people as possible, regardless of language or disability.
We will also continue work on helping the public sector to produce the supporting documents outlined in the consultation paper, to avoid duplication of effort among organisations.
Abbott, Philip
Aberdeen City Council
Spalding, Hazel
Aberdeenshire Council
Birnie, Owen
Adair, Lorna
Ainsworth, Neil
Allen, Mike
Allison, John
Angus Council
Adam, Jam
Armstrong, Chris
Association of Greater Manchester Authorities
Matley, Kathryn
Audit Commission
Cannon, John
Audit Scotland
Boath, Helen
Baker
Barnardo's Harvey, Bob
Basant, S
Bates, Ian
Baxter, R. S
Beanie, Robert
Cabinet Office
Payne, Trudy
Carter, Rosemary Anne
Chadwick, Nan
Cheshire Record Office
Pepler Jonathan
City of Edinburgh Council
Carter, Rosemary
City of Wakefield Metropolitan District Council
Pitt, John
Clay, Alfred
Collins, Mick
Cooper, Laurence
Corporation of Lonon
Pietsch, Anne
Cox, Philip
Crawley Borough Council
Smith, Trevor
Croydon Social Services
Tomkins, Lesley
Currigan, Steve
Data Protection Practitioners Group
Sterling, Tessa
Davis, Keith Dr
Dean, Cyril
Demos Protocol
Williams, Stephen
Department for Constitutional Affairs
Civil Justice Division
Parker, James
Department for Education and Skills
Walters, Richard
Hicks, Roy
Department for Environment, Food and Rural Affairs
Waller, David
Department of Health
Bahadur, Meera
Miller, Susan
Devon Country Council
Hoskin, Peter
Diabetes UK
Thomson, Karen
Doherty, Michael
Dougherty, John
Dundee City Council
Murray, Julie
Education Leeds Taylor, Paul
Ellis, Eloise
The Environment Agency
Treacher, Bob and Carlyle, Stefan
Essex County Council Burley, Helen
Fitton, Richard Dr
Folbigg L.J
Forensic Science Service
De Gray, Emily
Fraser, David Dr
Frayling, Dianne
Gage M. J. W
Gateshead Council Kelly, R. M
Gaus, Bernard
General Medical Council
Houlton, Sophie
Glasgow City Council
Murray, Elma
Grant, Kelly
Gray, A
Greater Glasgow Health Council
Crawford, Danny
Guy, Lynne
Hann, Janet
The Hadfield Medical Centre
Webber, Fred C
Hardman, John
Heaton-Smith, James
Hendricks, Gerry
Higginson, Bill
The Highland Council
Tyreman John
HM Land Registry
Lewis M. J
Holmes, R H MR
Home Office, CRPU
Radburn, Stephen
Home Office, FOI & Data Protection Practitioner's Group
Callow, Martin
Home Office, Information Sharing Team
Knott. Jennie
Hulse, Stuart
Improvement and Development Agency
Wood, Nicola
Information Commissioner's Office
Bloomfield, Peter
Infoshare Limited McKeon, Adrian
Kemp, Jeff
Kirklees Metropolitan Council Wilks, Leif
Laley S. R. J
Lambert, Chris
Large, Brenda
Law Reform Committee
Bye, Jan
The Law Society of Scotland
Drummond, Stuart
Lee-Bourke, Alan
Leeds City Council
Turnbull, Mark
Legal Services Commission
Elliot, Jacquie
Limbrick, Colette
Lincolnshire County Council
Johnson, Chris
London Borough of Lambeth
Seaton, Alastair
London Borough of Sutton
Clinnick, Annette
London Underground Ltd.
Choudhury, Amrapali
Mackay, Lady Lucinda
Manchester NHS Agency
Bigwood, Sally
Mansell, Fay
McIntosh, Alan
Microsoft Ltd.
Lambert, Matt
Middlesex Hospital
Benn, Sue
Middleton, K. Y
Mountain, David
Munton, John
National Association of Data Protection Officers
Withe, Edwina
National Housing Federation
Ogunjobi, Fola
Newcastle City Council
Gun, David
Nicholes, B
Norris, GWJ
Nottingham City Council
Pitchers, Mike
Stead, Alan
Office for National Statistics
Jackson, Paul J
The Office of Fair Trading
Philpott, David
Ofgem
Chiy, Paul
Ordnance Survey
Sutherland, Neill
Parry, John
The Pennine Acute Hospitals NHS Trust
Noon, Patricia
Perry, M
Perth & Kinross Council
Henderson, Donald
Piercy, Roy A
Preston, A
Professional Projects Co Ltd
Brazier, John R. T
Rampley, Dennis N
Rattary, Bill
Redcar & Cleveland Borough Council
Hadfield, Graham J
Ritchie, Alan
Roper, John
Sandford-Smith, Ben
Scott Catherine
The Scottish Executive
Doig, Barbara
Scottish Natural Heritage
Lopez, Frank
Sevenoaks District Council
Barnett, Trevor
Shalice, John
Sharp, Cassie
Shepway District Council
Skeats, Martin
Simpson, Timothy
Solihull Metropolitan Borough Council
Hobbs, Peter
Southampton City Council
Fisher, Louise
South East Trading Standards Authorities
Bligh-Cheesman, Patrick
South Lanarkshire Council
Cienkus, Lucy
Star, M
Stephenson J.
Stevens, Susanne
Stockport Social Services
Kennington, Jennie
Surrey County Council
Ponniah, Griselda
Swansea National Health Service Trust
Reynolds, Jeff MR
Telephone Helplines Association
Wilby, Kit
Thomas, Dale
Thomas, Roger
Took, Mike
Todd, Brian
Tomkotowicz, Stephen, M
Tozer, Ed
Trading Standards Institute
Allen, Tony
Tubbs, Martin
University College London,
The Constitution Unit,
Maer, Lucinda
Vale of Glamorgan Local Health Board
Porter, Tracey
Watervoice
Morris, Jane
West Dorset District Council
Davidge, Sheila
West Dunbartonshire Council
Huntingford, T
Westminster Council
Howard, Stephen
West, Pat
West Sussex Country Council
O'Neill, Paul
Wheatcroft, Angela
White D
Wilson, R
Worcestershire County Council
Wilton, Debbie
Wylie, Luciell
Wynd, R. J
Annex B - A Guarantee
|
||||
Annex C - Questionnaire
![word document [88kb]](../../img/icon_doc.png){kind=icon}