Thursday, September 19, 2013

Is the Data Protection Act harming children?

Tony Pepper
Chief Executive Officer and Co-Founder
Egress Software Technologies Ltd.
Last week, the Data Protection Act came under fire following an article published by Secretary of State for Education Michael Gove in The Telegraph, regarding the safeguarding of children in care homes.

Gove’s article was published in response to a review after serious failings put vulnerable children and young people at risk of abuse. While much of the Education Secretary’s criticism is to be welcomed, his censure also extended to so-called ‘data protection rules’, and thereby called into question the effectiveness of the Data Protection Act. In response, Information Commissioner Christopher Graham issued a written statement and appeared on BBC Radio 4’s World at One programme in defence of the Data Protection Act, labelling it an “enabler” rather than a barrier to safeguarding children.

As the Commissioner declared, “there shouldn’t be room for confusion on anything as serious as child protection” – yet, clearly, there is. Gove detailed that the government body Ofsted was ‘prevented by “data protection” rules, “child protection” concerns and other bewildering regulations from sharing data’. Thus even when it matters most, some people evidently feel unable to share confidential information.

What does the Data Protection Act say?

The Data Protection Act states that information can be processed when this is ‘necessary for compliance with any legal obligation to which the data controller is subject’. The Information Commissioner’s Office (ICO), moreover, has gone further to explain this in their Data sharing code of practice: ‘You will need to judge whether it is still appropriate [to share data] and confirm that the safeguards still match the risk.

Thus the Data Protection Act explicitly states that data can be shared when there is a legal obligation to do so, for example in the case of children at risk of abuse. However, it also, and rightly so, calls for appropriate risk assessments and measures be taken to protect that data – because a breach of personal identifiable information brings with it a different type of threat.

Why, then, do some public sector employees feel that they cannot share confidential information, even when doing so will protect vulnerable children? Clearly there is a chronic misunderstanding of data protection law that urgently needs to be resolved. In particular, it is imperative that organisations put in place mechanisms to protect confidential information when it is shared with third parties. Employees must feel empowered to share sensitive data when necessary and confident that they can remain in control of it at all times – not afraid that they risk exposing that information to unintended recipients, which can ultimately threaten the subject’s safety, the organisation’s reputation and potentially the employee’s livelihood as well.

Unfortunately for the ICO, and despite their best efforts to dispel them, so long as these myths about the Data Protection Act pervade, they have an uphill battle to overcome ignorance and bad publicity.

No comments:

Post a Comment