In April 2002, a government report Privacy and datasharing recommended that public organizations appoint Chief Knowledge Officers to integrate information-handling issues into decision-making processes. In the space of five years, a role that had previously been ascribed to clerical-level Data Protection Officers has changed out of all recognition. Significant legislation has been enacted including: a revised Data Protection Act 1998; the Human Rights Act 1998; the Freedom of Information Act 2000; and statutes concerning the interception and retention of communications data. Consequently, public sector organizations – such as local authorities, universities, health authorities and the police – have had to re-evaluate information-handling procedures, together with the roles and responsibilities of those employed in such posts. This article examines the steps public organizations are taking to meet such challenges. Results of studies using a questionnaire survey of public organizations, interviews with experts and 18 case studies are provided. In addition to increases in status of post holders, key observations include improved procedures for handling data subject access requests, enhanced staff training, and informing the public how their personal information is processed. The article concludes with recommendations for improved information-handling.
Get full access to this article
View all access options for this article.
References
1.
[1] Great Britain. Cabinet Office. Performance and Innovation Unit, Privacy and data-sharing: the way forward for public services ( PIU, London , 2002).
2.
[2] Great Britain. Data Protection Act 1998. ( HMSO, London ).
3.
[3] Great Britain. Freedom of Information Act 2000. ( TSO, London ).
4.
[4] Great Britain. Human Rights Act 1998. ( HMSO, London ).
5.
[5] The studies comprise part of co-author Adam Warren’s PhD thesis: Fully compliant? A study of data protection policy in UK public organisations. This is being supervised by Professor Charles Oppenheim and Dr James Dearnley at the Department of Information Science, Loughborough University.
6.
[6] Great Britain. Regulation of Investigatory Powers Act 2000. ( TSO, London ).
7.
[7] Great Britain. Anti-Terrorism, Crime and Security Act 2001. ( TSO, London ).
8.
[8] European Communities. Commission. Directive 95/46 EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data . Official Journal of the European Communities. No. L281/31. (23/11/95).
9.
[9] Compare with Article 1 (1) of Directive 95/46/EC, stating that: ‘Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.’
10.
[10] The European Economic Area is the fifteen EU member states plus Iceland, Liechtenstein, and Norway.
11.
[11] Great Britain. Office of the Data Protection Commissioner, Draft Code of Practice: The use of personal data in employer/employee relationships ( Office of the Data Protection Commissioner, Wilmslow , 2000), pp. 25–34.
12.
[12] D. Smith, Assistant Information Commissioner, Data protection: the Employment Practices Code . NADPO annual conference, University of Warwick. 18–19 November 2002.
13.
[13] J. Wadham, J. Griffiths and B. Rigby, Freedom of Information Act 2000. ( Blackstone, London , 2001), p.ix.
14.
[14] For a full list of exemptions, refer to: Great Britain. Office of the Information Commissioner. Freedom of Information Act 2000: An overview, January 2002, pp.6–7. Available at: www.dataprotection.gov.uk/dpr/foi.nsf (Under ‘General Information’) (accessed 16 January 2003).
15.
[15] The publication schemes are currently being phased in, according to the following timetable: most of central government (November 2002); local authorities (February 2003); police (June 2003); NHS (October 2003); schools and universities (February 2004). Source: Office of the Information Commissioner. Available at: www.dataprotection.gov.uk/dpr/foi.nsf (accessed 27 February 2003).
16.
[16] The Fees Regulations are still at draft stage. Refer to: Great Britain. Lord Chancellor’s Department, Annual report on bringing fully into force those provisions of the Freedom of Information Act 2000 which are not yet fully in force ( TSO, London , 2002) (HC6).
17.
[17] Great Britain. Freedom of Information (Scotland) Act 2002. ( TSO, London ).
18.
[18] Protocol 1, Article 3 of the ECHR guarantees the right to free elections. This provision was incorporated into the HRA 1998.
19.
[19] These uses are electoral purposes, investigation of crime and credit checks.
20.
[20] Great Britain. Representation of the People (England and Wales) (Amendment) Regulations 2002. Statutory Instrument 2002, No. 1871. ( TSO, London , 2002).Available at: http://www.hmso.gov.uk/si/si2002/20021871.htm (accessed 27 February 2003).
[22] J. Borley, Lord Chancellor’s Department, Data-sharing to improve government . NADPO annual conference, University of Warwick. 18–19 November 2002.
23.
[23] The JISCmail data protection discussion list is aimed mainly at practitioners in higher education and local authorities. To join, refer to: http://www.jiscmail.ac.uk/ (accessed 27 February 2003).
24.
[24] When fully enacted, it will extend rights to be informed and consulted in all businesses with 50 or more employees. For text of Directive, refer to: European Communities. Directive 2002/14/EC of the European Parliament and of the Council of 11 March 2002 establishing a general framework for informing and consulting employees in the European Community. Official Journal of the European Communities. No. L 80/29. (23.02.2002).
25.
[25] Interview with Confederation of British Industry (CBI). London, 7 November 2001.
26.
[26] Part of the British Computer Society, the ISEB provides industry-recognized qualifications in various information systems related disciplines. For further details, refer to: www.bcs.org/iseb/ (accessed 27 February 2003).
27.
[27] A professional association for ICT managers working in and for the public sector, SOCITM had a membership that included 90% of all UK local authorities. Refer to: www.socitm.gov.uk (accessed 27 February 2003).
28.
[28] Great Britain. Office of the Information Commissioner, Data Protection Act 1998: Legal guidance ( Office of the Information Commissioner, Wilmslow , 2001), pp. 30–35.
29.
[29] Great Britain. Office of the Information Commissioner. Employment Practices Data Protection Code. Part 3: Monitoring at work. (Draft) ( Office of the Information Commissioner, Wilmslow , 2002). Available at: www.dataprotection.gov.uk/dpr/dpdoc.nsf (accessed 27 February 2003).
30.
[30] Officially formed in April 2002, CILIP is the outcome of a merger of the Institute of Information Scientists and the Library Association. Refer to: www.cilip.org.uk (accessed 27 February 2003).
31.
[31] For further details concerning the Records Management Society of Great Britain, refer to: www.rms-gb.org.uk (accessed 27 February 2003).
32.
[32] The UK government has pledged ‘to make all government services available electronically by 2005’, establishing the Office of the e-Envoy to deliver this and other objectives aimed at getting the UK online. Refer to: www.e-envoy.gov.uk/ (accessed 27 February 2003). In February 2002, Tameside Metropolitan Borough Council claimed to be the first local authority to meet the UK government’s 2005 e-services target. Refer to: http://public.tameside.gov.uk/pressreleases/f1030pressreleasestory107.asp?story=2029 (accessed 27 February 2003)
