SCC encourages data sharing. In fact, many organisations around Surrey are already routinely and successfully sharing data. The MAISP itself is proof of the commitment SCC has to encourage the safe and lawful sharing of data.
Neither the Data Protection Act nor the UK-GDPR stop data sharing. They provide a framework so that you can be confident that when you do share data it is done legally, safely and that the people whose data you share have access to all their rights.
The ICO have set out some Data sharing myth busting pages that give some additional information.
The Government has also made commitments to improve how it uses data to drive better public services. It devised a framework for sharing personal data, for defined purposes across specific parts of the public sector, under the Digital Economy Act 2017 (DEA)
A very good example is the recent work done with the Electoral Canvas Reform that successfully linked recent data transactions across public data sources including the Driver and Vehicle Licensing Agency, HM Passport Office, HM Revenue and Customs, Department for Work and Pensions, Department for Education and the Education and Skills Funding Agency to ensure much better electoral representation and better Electoral Registers. Electoral Registers are the corner stone of many public sector services, including recently as an invaluable source of information in the battle against Covid: Test & Trace efficiency. A more local example is the work being done by the Surrey Office of Data Analysis (SODA).
New data-driven technologies create enormous opportunities but may also present some of the biggest risks related to the use of personal data. It will be vital to ensure that the public are confident that any use of their data is both ethical and beneficial otherwise there is a real danger that they will reject or object to the use of their data anonymous or not.
The current Government's National Data Strategy does make specific references to a very ambitious record linkage programme that will expand all of Governments use of data analytics.
One example is Policing and its use of predictive analytics, which are programmes that evaluate police data about past crimes to identify 'hot spots' of high risk on a map. Practices that use historical data to analyse trends allow us opportunities to work proactively and preventatively in areas such as Fuel Poverty and Health and Wellbeing. Early intervention will stop more costly acute and remedial intervention.
An Integrated Care System (ICS) Data Strategy is currently being developed jointly by Health, Council and the Police.
The public sector must be very diligent about, and sensitive to, the ethical use of data but this does not mean it cannot happen.
Both the UK-GDPR and DPA set out processes and procedures for automated decision-making, including profiling and you should check your local procedures before undertaking any processing.
Those checks should include, but are not limited to:
- A DPIA before any sharing takes place
- Rights for data subjects, including the right to object, included in Privacy Notices.
Data Analytics, AI and the MAISP
The UK Government is planning for the UK's "data estate" becoming an even more valuable national asset and is moving towards increased data sharing.
Here in Surrey we already have, and use, Surrey Online Data Analysis (SODA), which was launched in 2020 and is bringing together analytical skills across six strategic partners seeking to address major challenges across all our public sector areas. The underlying principle behind information sharing in SODA is of 'a duty to share data unless there is a legal or ethical reason that prevents sharing'.
Remember, there is a difference between sharing truly anonymised data for research purposes and data that is being processed automatically for a defined outcome or research.
The MAISP can help by showing that any concerns have already been taken into account before the data was used.
Remember also that the UK-GDPR and DPA allows for the long term retention of data for:
- archiving purposes in the public interest;
- scientific or historical research purposes; or
- statistical purposes.
Data Privacy Impact Assessments (DPIAs)
Very simply put a DPIA is a risk assessment tool. DPIAs are used to minimise risks to persons and their personal data from how an organisation processes the personal data. An effective DPIA can help you to fully evaluate processing activities and identify where and how to meet your data protection obligations.
A DPIA must be carried out when the data collection and processing is likely to result in a high risk to the rights and freedoms of the individual (this usually refers to financial, reputational or emotional damages but you should also be aware of physical risks) and:
- Carrying out systemic profiling
- Large scale processing of sensitive data, such as health data
- Using new technologies
- Public monitoring
You shouldn't just do a DPIA and forget about it. It must be updated as the process develops, particularly as any issues are identified.
You should check your local DPIA procedures. Your DPO or IG Team will help you find them or you can use the ICO screening checklists.