Consultation Question 4: Privacy Advisory Service
The consultation paper set out a draft set of objectives for a privacy advisory service and asked: Are the objectives set out for a Privacy Advisory Service in Section 3c the right ones?
The table below shows that over two thirds of those that responded to the yes/no question felt that the objectives for the Privacy Advisory Service as set out in the consultation paper were the right ones. Of the five respondents who identified themselves as data subjects, three felt that the objectives were not the right ones.
|Are the objectives set out for a Privacy Advisory Service in Section 3c the right ones?|
|Type of respondent||Yes, the objectives are right||No, they are not||No answer|
|Multiple categories selected||2||1||4|
The majority of respondents were broadly supportive of the Privacy Advisory Service (PAS) as set out in the consultation paper. One such respondent remarked that
'We strongly support the concept of a 'privacy advisory service' that would provide a recognised source of expert advice to researchers, and offer assistance to them in managing associated risks.' (Wellcome Trust)
In particular the PAS was felt to be useful for situations where data custodians are unsure whether they can legally and appropriately make data available for linkages.
However, one respondent felt it unlikely that PAS would address requirements of the law in accessing data and that such a service would only be valid if it was set up by legal instrument.
In the analysis of the comments on the PAS, the type of respondent (data user, subject or custodian) was examined. The different types of respondents were found to hold similar views on the PAS, the main points of which are outlined in the sections below.
Relationship with other bodies
A number of respondents commented on the relationships between the PAS and other bodies. In particular, organisations that performed related functions to the PAS. One respondent stated:
'It is not clear how this body would fit in with existing organisations that offer such facilities.' (Medicines Monitoring Unit, University of Dundee)
The relationship between the National Data Linkage Centre (NDLC) and the PAS was also questioned. An overlap in roles was noted and it was suggested that the separation of technical and ethical skills could lead to a loss of knowledge on both sides.
The question was raised as to whether the PAS and the NDLC should in fact be separate. As one respondent noted:
'We are supportive of the objectives for a Privacy Advisory Service but see no reason to separate the it from the National Data Linkage Centre (NDLC). Issues of privacy should sit at the centre of the Framework's operation and rather than hiving it off to a separate body, the NDLC seems the best place for it to be sited' (SCRA)
Some respondents went further and questioned the need for a PAS at all, particularly in the current financial climate.
'We are unclear why this consultation is not asking us whether we need to create a Privacy Advisory Service in the first place, rather than about its objectives. There are already data protection officers in every relevant organisation, the NHS has CaldICOtt Guardians and all organisations in Scotland have recourse to the Information Commissioner for Scotland. Rather than create a new body it would make more sense for the Information Commissioner's Office to take on this task.' (Orkney Islands Council)
The above respondent was not alone in questioning the need for such a service whilst pointing out perceived duplication of roles with either the Information Commissioner's Office or the Scottish Information Commissioner.
The Information Commissioner's Office itself was positive in their response:
'The ICO particularly welcomes the proposed establishment of a Privacy Advisory Service (PAS) and believes that this will be of fundamental importance in realising the benefits of privacy assurance and control mechanisms for the research community.'
An alternative to the PAS was outlined whereby data controllers are educated, supported and empowered to work within existing data-protection arrangements, rather than creating a body that will make their decisions for them. This was argued to provide data controllers with 'freedom to innovate and invest in directions they think are viable.'
Whilst not going as far as the above scenario other respondents did emphasise the primacy of Data Custodians with regards decisions for their data. The view was expressed that the PAS should be there to help, advise and make recommendations rather than to make decisions.
On this point, but taking a different view, one respondent suggested that there could be greater value from the PAS if data controllers authorised the service to make decisions on their behalf.
Responsibility and liability
The question was raised as to where the responsibility for decisions to link data would lie in circumstances where the Privacy Advisory Service had offered advice.
As one respondent noted:
'how best to avoid organisations abdicating accountability and responsibility for...decisions they make as a result of receiving advice and support from the Service merits careful attention, as does the question of liability' (Jane Dargie)
A number of respondents made the point that the Privacy Advisory Service should not lead to an increase in regulatory burden and that:
'There needs to be an emphasis on making things easier and quicker for researchers and evaluators' (Anonymous)
However one respondent noted that in their experience:
'making a procedure ethical actually does have a procedural cost. Ethical procedures are not to be sidelined as soon as they become costly.' (Scottish Council on Human Bioethics)
Resourcing and staffing issues
More than one respondent identified that a variety of skills would be needed from members of Privacy Access Service. Their remit would require them to advise on improved methodology for linkage and improved analyses of linked datasets whilst also assessing proposals realistically for possible public effect or benefit.
One respondent noted:
'the very nature of cross-sector linkages and the objectives outlined in the consultation would require an extensive advisory network to cover all areas of expertise with a very broad remit to fulfil this service' (HEADLINES, University of Aberdeen)
Respondents suggested the following further functions for the PAS:
- Overseeing statistical disclosure
- Facilitating and encouraging the release of data where data custodians may be reluctant
- Extolling the benefits of data linkage to the wider public and allaying fears regarding the safety of the use of linked data for research
Additionally, there were a number of more specific questions which respondents were keen to clarify:
- How is the Analytical Privacy Advisory Service to be established and maintained?
- Who would be eligible to join the PAS?
- Could the service be used for local linkage projects?
- Would there be any formal requirement for researchers to gain approval of this body and if so, what impact would this have on the regulatory body?
- Whether the centre will cover only those data linkage projects for 'research and statistical purposes' as set out in Section 1 of the consultation paper or whether this will have a wider remit and advisory capacity?
- In practice how would organisations set up data linkage agreements? Would requests for data come directly to organisations or would the Privacy Advisory Service work as an intermediary or would the National Data Linkage Service provide this role?
- Would ISD dictate the release of NHS data for linkage purposes?
- How would the PAS interact with members of the public? Would it take on functions of the ICO or complement them? Would it seek representations from the public or civic society on particular issues?
Email: Michael Davidson
There is a problem
Thanks for your feedback