Department for Constitutional AffairsPublications

| Publications | Press notices | Consultation papers | Reports and reviews | Research | Speeches | Annual reports | Legislation | Green papers | White papers | Better regulation | General guidance for individuals | Guidance for professionals | Statistics | Archive

|© Crown Copyright & Disclaimer

Home > Publications > Forms & Guidance > Guidance for professionals
The Department for Constitutional Affairs
Information Rights Division
4th Floor MWB Business Exchange
10 Greycoat Place
London SW1P 1SB
DX 117000

Telephone: 020 - 7960 6515
Facsimile: 020 - 7654 3586
Email:

www.dca.gov.uk

November 2003

Dear Colleague

Data Sharing in the Public Sector: Guidance on the Law

The legal guidance

  1. The document, Data Sharing in the Public Sector: Guidance on the Law - which has its origins in the 2002 Cabinet Office report Privacy and Data Sharing: the way forward for public services- sets out a comprehensive high level view of the current legal framework law as it applies to the sharing of personal data within the public sector. It has been prepared by lawyers at the Department for Constitutional Affairs (DCA), with significant input from legal advisers and other officials across government and in consultation with the Information Commissioner and the Local Government Association. As such, it can be taken as an authoritative view of the law in this area. It covers all those general areas of law - administrative, Human Rights, common law confidentiality and Data Protection - that impact on whether and how the public sector can share personal data for legitimate and appropriate purposes.

  2. As the Secretary of State notes in his foreword, this is an undeniably complex area of law, with many interactions to consider. However, the government strongly believes that data sharing, for legitimate purposes and in accordance with the safeguards that exist in law, can be less problematic than many believe. While, on its own, this guidance cannot answer every question that might arise - and in no way should be seen as a substitute for obtaining appropriate legal advice on the specifics of a particular policy or delivery proposal - it is a mechanism for ensuring that public sector bodies understand how they need to approach these issues and to give them a route map to help them through the process.

  3. It is the intention that this guidance should act as the top level of government guidance on data sharing. Specific guidance issued by departments should be read in conjunction with this DCA guidance. In this way it should be possible to develop a greater consistency of interpretation of the law and a more common approach across the public sector

How to approach data sharing

  1. As the guidance sets out, the first and most important step is to ensure that vires (the power in law) exists for the policy or service to which data sharing is a necessary part. It is important, therefore, not to look on data sharing as an activity in isolation, any more than processing should be seen as such: they are both in support of a substantive activity. If such vires do exist it is also not necessary to rely on the presence of a statutory gateway to establish the ability to share data: this can be implied from the terms of the legislative backing for the overall policy or service (although the existence of a gateway will add extra clarity and certainty).

  2. However, the existence of appropriate vires does not mean that other issues can be ignored. The provisions of the Human Rights Act, the common law duty of confidentiality and the Data Protection Act all have to be considered in terms of the impact of the proposed policy or service on the legitimate rights of the individual whose data is to be used. The watchword here should be proportionality: how intrusive is the proposed use of data and is this use reasonable and proportionate in relation to the ultimate purpose to which the data is to be put. The guidance considers these issues in some detail. The general conclusion is that these are not insurmountable barriers to data sharing, but necessary restrictions that strike an appropriate balance between individual rights to privacy and confidentiality and the need of the public sector to make more and better use of personal data for the public good. In doing so, it will be important to ensure practical arrangements are in place so that only those staff who genuinely need to see personal data to carry out their work can do so.

  3. Consent is an issue that causes much uncertainty. Consent, on its own, is frequently unnecessary in ensuring Data Protection Act compliance (it is just one of the Act's several Schedule 2/3 conditions, any of which, if met, provide a legitimate condition for the processing of data). Problems arise in relation to data sharing if there is a lack of clear vires for the substantive activity and, if this is the case, consent does not resolve the problem (one cannot consent to an ultra vires action). Consent can be an appropriate method of working in many areas - and can be a useful way of ensuring that confidentiality and Human Rights issues are fully addressed - but must be approached with caution as securing and maintaining consent can be difficult.

  4. Finally, it is important to be open about the detail of proposals and their impact on individuals. The Data Protection Act, under the fair processing element of the first principle, requires that data subjects are given information about the purposes for which their data will be processed. This should include sufficient detail so that they can understand any data sharing that may be involved. It is also important to ensure that individuals have the opportunity to understand the processes, agreements and security in place to provide reassurance about how their data is handled.

Further help

  1. In addition to the legal guidance, the data sharing team at DCA will provide an ongoing point of contact and a centre of expertise on general data sharing issues, so that follow-up queries can addressed and best practice identified and disseminated.

  2. This legal guidance also forms part of a general toolkit, aimed at helping practitioners deal with the many problems that can arise when first looking at individual proposals involving data sharing. The second element of the toolkit - guidance on establishing data sharing protocols - is being published on the DCA website at the same time. Over the coming months we intend to add further elements to the toolkit: guidance on complaints procedures, on codes of practice, on Privacy Impact Assessments and an analytical framework to be used when considering data sharing projects, a library of good practice and a series of Frequently Asked Questions, to be updated over time.

  3. If there are any questions about this guidance, or other general aspects of public sector data sharing, please do not hesitate to contact us.

Paul Boyle
Department for Constitutional Affairs
Information Rights Division

 

 

© Crown Copyright