Making the register available in a machine readable and reusable format

Transcription

1 Privacy Impact Assessment Report Making the register available in a machine readable and reusable format Contents Part 1 Background and Approach Part 2 Analysis Part 3 Findings and Recommendations Annex A PIA Screening questions and answers Annex B Sample register entry Annex C Consultation text Author Lesley Bett and Simon Ebbitt Filepath WHNCWWEB01/Meridio/browse/downloadContent.aspx?doc umentid=115024&sendasref=1/title/privacy impact report - Publication of the DP register Status and version Final Version 1.0 Date last updated 16 May 2011 updated following meeting of the PIA group and reason Distribution Simon Entwisle, Paul Arnold, Traci Shirley, Jonathan Bamford, Steve Wood, Thomas Oppe 1

2 Part 1 Background and approach Introduction This report is the product of a Privacy Impact Assessment (PIA) conducted at the Information Commissioner s Office from February to May It summarises the subject, approach, analysis and findings before making recommendations on possible controls and mitigation to minimise the privacy impact of the proposal should it be approved. The ICO recommends that where an organisation proposes to process personal data, change the purposes for or way in which that personal data is processed, a PIA be conducted. Proposals contained within Part 6 of the Protection of Freedoms Bill (clause 92) relate to the release and publication of datasets held by public authorities. More specifically it states that where an applicant makes a request for information to a public authority in respect of information that is, or forms part of a dataset, the public authority must, so far as reasonably practicable, provide the information to the applicant in an electronic form which is capable of re-use. Further, there is a proposal that a publication scheme must include publication of any dataset which has been the subject of a request for information. The publication of the Protection of Freedoms Bill together with ICO s commitment to openness and transparency has made ICO consider what, if any datasets it holds that would fall within the scope of clause 92. The Data Protection Register compiled and made available for inspection by the Information Commissioner, under section 19 of the Data Protection Act 1998, is a dataset which would fall within the scope of the proposals contained within clause 92 of the Protection of Freedoms Bill. Having identified this dataset a privacy impact assessment (PIA) has been conducted to consider whether the availability of this dataset in a re-usable format will have an impact on the privacy of any individuals whose personal data may be affected. 2

3 How did we approach the Privacy Impact Assessment? An initial report by the Head of Internal Compliance had already identified a number of privacy impacts. This report was considered by an ad-hoc group (including the Directors for Data Protection, Freedom of Information and Operations) and it was agreed that a Privacy Impact Assessment would be appropriate to ensure that the impacts of a change in ICO s processing of personal data were properly considered. To conduct the PIA a small team was formed consisting of the Head of Strategic Liaison, Head of Policy Delivery, Head of Internal Compliance and the Internal Compliance Manager (continuous improvement and development). In line with advice in ICO s Privacy Impact Assessment Handbook, the initial screening questions were considered to determine whether a small scale or full scale privacy impact assessment would be appropriate. In summary, it was agreed that because: the number of data subjects affected was relatively low; the personal data in scope was limited to names and addresses and information about their processing of personal data which had usually been provided in a business capacity; no sensitive personal data was involved; all of the personal data was obtained by the Commissioner, no 3 rd parties were involved; the registrable particulars were already in the public domain via the ICO website; a small scale privacy impact assessment would be appropriate in this case and should focus on the following areas of work: Consideration of the legal framework governing the Data Protection Register. Public interest considerations and any case law. Understanding the views of stakeholders, in particular the views of data controllers on the Data Protection Register through a brief consultation exercise. The answers to the screening questions are provided at annex A. 3

4 Part 2 - Analysis What is the Data Protection Register? The Data Protection Act 1998 requires, under section 19, that the Commissioner produces and maintains a register of data controllers. Since 1996 this Register has been made available via the ICO s website. It currently contains register entries relating to more than 335,000 data controllers. It is made available so that there is transparency for individuals, referred to in the Act as data subjects, when their data is processed. Data controllers the legal person who determines the purpose for which personal data is processed must provide the Commissioner with the information set out in section 16 of the Data Protection Act 1998 (the registrable particulars ) and a notification fee, except where an exemption applies. The registrable particulars comprise: A name and address If a representative has been nominated, the name and address of the representative A description of the personal data being or to be processed by or on behalf of the data controller and of the category or categories of data subject to which they relate A description of the purpose or purposes for which the data are being or are to be processed A description of the recipient or recipients to who, the data controller intends or may wish to disclose the data The names, or a description of, any countries or territories outside the European Economic Area to which the data controller directly or indirectly transfers or intends or may wish directly or indirectly to transfer the data Statement of exempt processing The data controllers registered with the Information Commissioner include organisations from across the public and private sectors, including limited companies, charities, partnerships, associations, elected representatives and sole traders. Sole traders and other individuals (referred to as sole traders from this point forward)who are required to notify as data controllers, for example child minders and elected representatives, must provide their own name and the address of their place of business which may be their home address. This, together with the remaining registrable particulars, constitutes personal data about those 4

5 individuals and therefore falls within the scope of this privacy impact assessment. In addition, where a representative has been nominated this information is also likely to be personal data. Most entries on the register, for example those in the name of a limited company or a government department do not contain any personal data and therefore fall outside of the scope of the PIA. It is estimated that at least 16% of entries in the register constitute personal data. What information is already in the public domain? The published register includes only the registrable particulars obtained as part of the notification process. It is not proposed that any further information should be made available, for example, contact details, addresses or telephone numbers which do not form part of the public register. This information does not fall within the scope of this privacy impact assessment and is not being considered for release. An example of a register entry for a data controller who is a sole trader is provided at annex B. How much demand is there? The volume of demand for the Register is not known. However there have been three information requests to the ICO for the Register. In two cases the data controller names and registration numbers were provided. The Register has not previously been provided in its entirety in response to information requests. Recently there has been increased interest from open data campaigners in accessing this dataset. The searchable public register currently receives visits from approximately unique visitors per month. What purposes might this data be used for? It is not known what uses will be made of the Register if it is made available, however the results of the consultation exercise provide some insight, examples include: Managing multiple registrations - data protection officers who are managing the multiple registrations. Research purposes - It may be used for research purposes by academics with a professional interest in privacy. 5

6 Direct marketing - It is clear that many expect the most common use to be sending unsolicited marketing material. The list of names and addresses of data controllers could form the basis of a mailing list or enhance an existing list and may have some value, for example, to send marketing material about IT security products. Identity theft some stakeholders are concerned about the possibility of identity theft. Merging with other datasets data mash-ups of this dataset with other available data may provide insights that would not be possible otherwise. Crowdsourcing the use of the dataset by campaigners to gain insights into public opinion about data controllers. It could be argued that the receipt of marketing material using names and addresses already in the public domain and provided in the most part in a business capacity, even when home addresses are used, does not pose a significant privacy concern. However, the strength of feeling on this issue, highlighted during the consultation exercise, should not be ignored. That said, it may be the information would be limited in value because the registrable particulars include only mailing addresses and not addresses or telephone numbers. It should also perhaps be remembered that the roots of data protection were to remove obstacles to trade. The primary purpose for reuse of data is likely to be commercial interests. It is difficult to anticipate all the possible uses that may be made of the dataset, and any significant privacy issues that these uses may pose. The personal data could be merged with a variety of other datasets. Finding 1 there are a number of purposes to which personal data contained in the Register could be put and there is likely to be some demand for the Register. Finding 2 the purposes for which the dataset could be used can be limited by the use of the Open Government License already adopted by ICO. However this license does not cover the re-use of personal data. Recommendation 1 adopt the Open Government License if this dataset is made available and consider providing an additional license to allow for the legitimate re-use of personal data within the dataset. 6

7 Current requirement to make the register available Section 19(6)(a) of the DPA 1998 requires that the Commissioner: shall provide facilities for making the information contained in the entries in the register available for inspection (in visible and legible form) by members of the public at all reasonable hours and free of charge. In order to satisfy this statutory duty to make the register available for inspection the Commissioner publishes the register on his website. It is updated daily via an overnight batch process. Section 19(6)(b) also states that the Commissioner: may provide such other facilities for making the information contained in those entries available to the public free of charge as he considers appropriate. This would appear to provide sufficient legal basis for providing the information in other ways if the Commissioner considers that to be appropriate and the discretion to do so before the Protection of Freedoms Bill passes into law. Current ICO policy, agreed some years ago, is not to make the entire register available in a reusable format or to provide a copy of it. The rationale for this policy was that information, including personal data, was being provided to the Commissioner for a statutory purpose where there is no choice and that information should not then be made available for a different purpose, for example direct marketing. IT systems were designed to implement this policy decision. When the register was made available on the internet in 1996 (rather than books or microfiche in libraries and at our office) a decision was taken to restrict the retrieval of records to a maximum of 100 per search. However, it should be noted that it is now possible for the online Register to be scraped and a full copy produced. Therefore it is possible that the Data Protection Register becomes publically available in a re-usable format regardless of the Commissioner s decision on this issue. Finding 3 that making the register available in a reusable machine readable format is not incompatible with the statutory 7

8 requirements placed on the Commissioner in relation to making the register available for inspection. The first and second data protection principles - fair processing and the purposes for which personal data is processed Consideration must be given to the fair processing requirements of the first principle. The first principle states that Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unlessa) at least one of the conditions in Schedule 2 is met The Commissioner is processing personal data relating to his obligations under Section 19 of the Data Protection Act The relevant condition within Schedule 2 is: 5. The processing is necessaryb) for the exercise of any functions conferred on any person by or under any enactment. The second data protection principle requires that personal data is obtained only for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. In this case the personal data contained in the public register has been collected for the purpose of producing a public register of data controllers and making this available for inspection by data subjects. The Commissioner has discretion about how he makes the Register available and it would not be incompatible to make it available for inspection in its entirety in a reusable format. In essence the purpose for which the Commissioner is processing the personal data in question has not changed despite it being made available in a different form and format. What would the data subjects expect? In determining whether personal data are processed fairly, regard must be had to the method by which the data is obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed. The Commissioner must also specify the purposes for which he is processing personal data and although, as established above this purpose is not changing, best practice would 8

9 support a communication exercise to ensure that those whose personal data is on the register are aware of how it is made available. Currently data controllers are made aware of the fact that the information which they are required to provide will be included on a public register available for inspection. They are not told that a copy of the entire register will be made available to anyone who wants it and that it may be reused by third parties for other purposes. Data controllers are specifically told that contact details and addresses will not form part of the public register. Sole traders who are required to notify do not have a choice about whether or not to provide their personal data failure to notify when required to do so is a criminal offence under section 21. In summary, whilst there is a clear statutory basis for making the entire Register available in a machine readable and reusable format it would not be within the current expectations of data controllers on the Register. Furthermore, there is some misunderstanding about the contents of the public register for example whether it contains addresses. Finding 4 it is not within the current expectations of data controllers that personal data contained in the Register would be made available in this way. Finding 5 that some data controllers are not clear about what information is currently made available on the Register. Recommendation 2 new data controllers should be informed, at the point of collection, of the purposes and manner in which their personal data will be processed. This will support compliance with the first and second data protection principles. Recommendation 3 existing data controllers should be informed through a communication exercise, explaining this change and the reasons for it. This is particularly important where data controllers have chosen to notify voluntarily, making personal data available in the proposed manner may influence their decision to notify voluntarily in future. At present approximately 1% notify voluntarily. Recommendation 4 communication with data controllers should clearly define the information available on the Register and what would or wouldn t be made available if available in a reusable form. 9

10 Protection of Freedoms Bill Under the Protection of Freedoms Bill, a dataset is defined as information comprising a collection of information held in electronic form where all or most of that information has been provided to a public authority in connection with the provision of the service by the authority or the carrying out of any other function of the authority. It is clear that the Register would fall within the scope of that definition. Therefore the proposals contained within the Protection of Freedoms Bill would require the Commissioner to make the Register available in a machine readable and reusable format. The timeframe for compliance with the Bill should it pass into law is not known. Finding 6 that it is likely ICO will be made to consider a legal obligation to make the Register available in a reusable format in the future. Relevant case law Before 2002, the Representation of the People (Amendment) Regulations 1990 placed Electoral Registration Officers under a duty to sell copies of the electoral register to anyone who wished to buy them. ICO s view was that the sale of the electoral roll was inconsistent with the requirements of the DPA and Human Rights Act This is because individuals are legally required to supply personal information and it was considered that additional, nonelectoral uses of this information should be kept to a minimum. A related court case in 2001 confirmed this view. Following this court judgment new Regulations created two versions of the register a full and edited version. Individuals can choose not to be included on the version of the register which is made available. It could be argued that there are some parallels with the circumstances being considered within this privacy impact assessment. However there are also important distinctions: The electoral roll only contains personal data unlike the Data Protection Register. The Data Protection register is created in the context of commercial and organisational transparency about the personal data they process. The electoral roll is available to some organisations for other purposes credit reference agencies for example 10

11 indicating that where a legitimate public policy purpose is served re-use is legitimate. Initially it seemed that offering an opt-out to sole traders would be an attractive option enabling those with personal data on the Register to exercise an element of control. However this solution could be undermined by data scraping technology and also raises complex and potentially expensive operational challenges. Finding 7 there are parallels between the electoral roll and the Data Protection Register but there are also significant differences. Finding 8 Whilst superficially attractive an opt-out for sole traders would be undermined by data scraping technology. Recommendation 5 to limit the re-use of personal data contained in the Register, for example in relation to direct marketing, through an additional license. Information Requests There have been 3 information requests for a copy of the register. In each case the response has been that Section 21 is engaged. However, in 2 cases a list of data controller names and registration numbers has been provided. Finding 9 that data controller names and registration numbers have previously been made public under the Freedom of Information Act Analysis of results of the consultation As part of the Privacy Impact Assessment we conducted a consultation exercise. The purpose of the consultation was to engage with ICO stakeholders, invite and understand their views on the proposed changes; identify additional problems and benefits, not already noted; and additional controls, or mitigations, which might be appropriate. We wanted to receive as much feedback on the proposed change as possible and therefore a wide ranging, targeted and general, consultation exercise was conducted. The Consultation exercise ran from 1 March 2011 to 8 April The consultation text is available at Annex C. To invite the views of stakeholders the following channels were used: 11

12 Consultation exercise publicised on the Consultation page and Notifications page on the ICO s website. Data Protection Officers Conference Attendees (and those who had expressed an interest) invited to respond to the consultation through delegate s before and after the conference. ICO e-newsletter the ICO sends out an newsletter to approximately 10,000 subscribers each month. The March edition included an invitation to respond to the consultation. Registered data controllers A random sample of 10,000 data controllers was extracted from the data protection register and ed directly to invite their views on the proposal. Following the closure of the consultation period the results were analysed to understand whether the responders were broadly in favour or against the proposal, and the responses categorised. Overall we received 167 responses of which 24 were from sole traders. Included below are a series of graphs and pie charts that broadly illustrate the opinions of responders. 12

13 Breakdown of responses received Total number neutral Total number neutral, 11 Total number against Total number against, 127 Total number in favour Total number in favour, Total number in favour Total number against Total number neutral

14 Responses from sole traders Number of sole traders - Number of sole traders - neutral neutral, 0 Number of sole traders - Number of sole traders - against, 23 against Number of sole traders - in favour Number of sole traders - in favour, Number of sole traders - in Number of sole traders - Number of sole traders - favour against neutral Series

15 Managing multiple registrations 7% General data protection compliance 3% Change of purpose 0% No additional benefits 0% No view expressed 3% Categories breakdown - In favour Commercial exploitation/direct marketing 3% Potential misuse 3% Personal information/home addresses 8% Commercial exploitation/direct marketing Potential misuse Personal information/home addresses Open data No additional benefits Change of purpose General data protection compliance Managing multiple registrations No view expressed Open data 73% 15

16 Categories breakdown - Against Change of purpose 2% General data protection compliance 0% No view expressed 1% No additional benefits 3% Managing multiple registrations 0% Open data 0% Personal information/home addresses 43% Commercial exploitation/direct marketing 41% Commercial exploitation/direct marketing Potential misuse Personal information/home addresses Open data No additional benefits Change of purpose General data protection compliance Managing multiple registrations No view expressed Potential misuse 10% 16

17 Categories breakdown - Neutral No view expressed 27% Managing multiple registrations 0% General data protection compliance 0% Change of purpose 0% Commercial exploitation/direct marketing 28% Potential misuse 0% Commercial exploitation/direct marketing Potential misuse Personal information/home addresses Open data No additional benefits Change of purpose General data protection compliance Managing multiple registrations No view expressed No additional benefits 9% Open data 9% Personal information/home addresses 27% 17

18 Finding 10 almost all sole traders who responded are opposed to the proposal. Finding 11 more than three quarters of all responders were against the proposal. Finding 12 of the responders against the proposal their concerns primarily related to the commercial exploitation of the information for marketing purposes or the potential uses that their personal data would be put to if made available in this way. Finding 13 of those in favour almost three quarters were advocates of the principle of open data. Finding 14 there is uncertainty amongst data controllers about the information currently available via the public register. Finding 15 the results of the consultation indicate that should the decision be taken to make the Register available in the manner described there would be concerns from some data controllers. Recommendation 6 steps should be taken to minimise the privacy impacts of the proposal through the imposition of a re-use license for personal data on the Register; transparency at the point of collection in future; and communication with existing data subjects about the proposal. Analysis of Public Interest Considerations A balance must always be struck between the twin public policy interests of privacy and transparency. There may be commercial benefits in making the register available in a format which allows reuse. There may be public interest benefits in reusing the information for the purposes of research. The change would enable increased accessibility to the information and one of the key arguments in favour of open data is that potentially beneficial uses cannot always be anticipated or realised by the custodian. However there are also public interest arguments against making the register available, for example it may prove to be an unnecessary intrusion into the private lives of data subjects on the register, for example it may expose data subjects to an increase in direct marketing. 18

19 Finding 16 whilst there is not a defining argument in terms of where the public interest lies there is weight to the arguments in favour of open data assuming adequate safeguards to address public concerns are put in place. Recommendation 7 - that a communication exercise should take place to engage the concerns and explain the proposal to stakeholders. 19

20 Part 3 - Summary of Findings and Recommendations Findings In summary, the findings are: Finding 1 there are a number of purposes to which personal data contained in the Register could be put and there is likely to be some demand for the Register. Finding 2 the purposes for which the dataset could be used can be limited by the use of the Open Government License already adopted by ICO. However this license does not cover the re-use of personal data. Finding 3 that making the register available in a reusable machine readable format is not incompatible with the statutory requirements placed on the Commissioner in relation to making the register available for inspection. Finding 4 it is not within the current expectations of data controllers that personal data contained in the Register would be made available in this way. Finding 5 that some data controllers are not clear about what information is currently made available on the Register. Finding 6 that it is likely ICO will be made to consider a legal obligation to make the Register available in a reusable format in the future. Finding 7 there are parallels between the electoral roll and the Data Protection Register but there are also significant differences. Finding 8 Whilst superficially attractive an opt-out for sole traders would be undermined by data scraping technology. Finding 9 that data controller names and registration numbers have previously been made public under the Freedom of Information Act Finding 10 almost all sole traders who responded are opposed to the proposal. 20

21 Finding 11 more than three quarters of all responders were against the proposal. Finding 12 of the responders against the proposal their concerns primarily related to the commercial exploitation of the information for marketing purposes or the potential uses that their personal data would be put to if made available in this way. Finding 13 of those in favour almost three quarters were advocates of the principle of open data. Finding 14 there is uncertainty amongst data controllers about the information currently available via the public register. Finding 15 the results of the consultation indicate that should the decision be taken to make the Register available in the manner described there would be concerns from some data controllers. Finding 16 whilst there is not a defining argument in terms of where the public interest lies there is weight to the arguments in favour of open data assuming adequate safeguards to address public concerns are put in place. Recommendations Should the decision be taken to make the Register available in a machine readable, re-usable format the following steps should be taken: Recommendation 1 adopt the Open Government License if this dataset is made available and consider providing an additional license to allow for the legitimate re-use of personal data within the dataset. Recommendation 2 new data controllers should be informed of this fact at the time at which their personal data is collected. Recommendation 3 existing data controllers should be informed through a communication exercise, explaining this change and the reasons for it. This is particularly important where data controllers have chosen to notify voluntarily, making the personal data available in the proposed manner may influence their decision to notify voluntarily in future. At present approximately 1% notify voluntarily. 21

22 Recommendation 4 communication with data controllers should clearly define the information available on the Register and what would or wouldn t be made available if available in a reusable form. Recommendation 5 to limit the re-use of personal data contained in the Register, for example in relation to direct marketing, through an additional license. Recommendation 6 steps should be taken to minimise the privacy impacts of the proposal through the imposition of a re-use license for personal data on the Register; transparency at the point of collection in future; and communication with existing data subjects about the proposal. Recommendation 7 - that a communication exercise should take place to engage the concerns and explain the proposal to stakeholders. Recommendation 8 that the outcome of this privacy impact assessment should be reviewed in 12 months. 22

23 Annex A PIA Screening questions and answers Appendix Screening questions Project characteristics Technology (1) Does the project apply new or additional information technologies that have substantial potential for privacy intrusion? Examples include, but are not limited to, smart cards, radio frequency identification (RFID) tags, biometrics, locator technologies (including mobile phone location, applications of global positioning systems (GPS) and intelligent transportation systems), visual surveillance, digital image and video recording, profiling, data mining, and logging of electronic traffic. No Identity (2) Does the project involve new identifiers, re-use of existing identifiers, or intrusive identification, identity authentication or identity management processes? Examples of relevant project features include a digital signature initiative, a multi-purpose identifier, interviews and the presentation of identity documents as part of a registration scheme, and an intrusive identifier such as biometrics. All schemes of this nature have considerable potential for privacy impact and give rise to substantial public concern and hence project risk. No (3) Might the project have the effect of denying anonymity and pseudonymity, or converting transactions that could previously be conducted anonymously or pseudonymously into identified transactions? Many agency functions cannot be effectively performed without access to the client's identity. On the other hand, many others do not require identity. An important aspect of privacy protection is sustaining the right to interact with organisations without declaring one's identity. No the personal data within scope is already in the public domain through publication on the data protection register on ICO s website.

24 Annex A PIA Screening questions and answers Multiple organisations (4) Does the project involve multiple organisations, whether they are government agencies (eg in 'joined-up government' initiatives) or private sector organisations (eg as outsourced service providers or as 'business partners')? Schemes of this nature often involve the breakdown of personal data silos and identity silos, and may raise questions about how to comply with data protection legislation. This breakdown may be desirable for fraud detection and prevention, and in some cases for business process efficiency. However, data silos and identity silos are of long standing, and have in many cases provided effective privacy protection. Particular care is therefore needed in relation to preparation of a business case that justifies the privacy invasions of projects involving multiple organisations. Compensatory protection measures should be considered. No Data (5) Does the project involve new or significantly changed handling of personal data that is of particular concern to individuals? The Data Protection Act at s.2 identifies a number of categories of 'sensitive personal data' that require special care. These include racial and ethnic origin, political opinions, religious beliefs, trade union membership, health conditions, sexual life, offences and court proceedings. There are other categories of personal data that may give rise to concerns, including financial data, particular data about vulnerable individuals, and data which can enable identity theft. Further important examples apply in particular circumstances. The addresses and phone-numbers of a small proportion of the population need to be suppressed, at least at particular times in their lives, because such 'persons at risk' may suffer physical harm if they are found. No the personal data is limited in scope to name, address and details about their processing of personal data. No sensitive personal data is within scope. The final paragraph raises issues which would need to be addressed when the personal data is obtained at the start of the notification process.

25 Annex A PIA Screening questions and answers (6) Does the project involve new or significantly changed handling of a considerable amount of personal data about each individual in the database? Examples include intensive data processing such as welfare administration, healthcare, consumer credit, and consumer marketing based on intensive profiles. No the amount of personal data about each individual is limited in scope. The only change is to make personal data already in the public domain available in a machine readable and reusable format. (7) Does the project involve new or significantly changed handling of personal data about a large number of individuals? Any data processing of this nature is attractive to organisations and individuals seeking to locate people, or to build or enhance profiles of them. No not every entry on the data protection register constitutes personal data. The number of individuals affected is relatively low. (8) Does the project involve new or significantly changed consolidation, inter-linking, cross-referencing or matching of personal data from multiple sources? This is an especially important factor. Issues arise in relation to data quality, the diverse meanings of superficially similar data-items, and the retention of data beyond the very short term. No Exemptions and exceptions (9) Does the project relate to data processing which is in any way exempt from legislative privacy protections? Examples include law enforcement and national security information systems and also other schemes where some or all of the privacy protections have been negated by legislative exemptions or exceptions. No (10) Does the project's justification include significant contributions to public security measures? Measures to address concerns about critical infrastructure and the physical safety of the population usually have a substantial impact on privacy. Yet there have been tendencies in recent years not to give

26 Annex A PIA Screening questions and answers privacy its due weight. This has resulted in tensions with privacy interests, and creates the risk of public opposition and non-adoption of the programme or scheme. No (11) Does the project involve systematic disclosure of personal data to, or access by, third parties that are not subject to comparable privacy regulation? Disclosure may arise through various mechanisms such as sale, exchange, unprotected publication in hard-copy or electronicallyaccessible form, or outsourcing of aspects of the data-handling to subcontractors. Third parties may not be subject to comparable privacy regulation because they are not subject to the provisions of the Data Protection Act or other relevant statutory provisions, such as where they are in a foreign jurisdiction. Concern may also arise in the case of organisations within the UK which are subsidiaries of organisations headquartered outside the UK. It is possible that the register could be reused by third parties who are not subject to comparable privacy regulations.

27

28

29

30 Annex C Consultation text ICO Consultation - Privacy Impact Assessment - Data Protection Register The ICO is required by law to make the register available for inspection and does this via the ICO website. We are currently exploring the possibility of making the register available to be downloaded in its entirety, in a reusable format. There will be a number of potential benefits from making this data available. For example, opening the data up will allow others to combine, analyse and gain new insights from it. The principles of open data have also been recently set out in the Protection of Freedoms Bill. However, a number of entries on the register relate to individuals, such as sole traders, and there are therefore data protection considerations. For example, is it fair that data collected for a statutory purpose is made available in a form that could make it more widely available and usable? We want your views on what the impact on individuals would be if the register was available to download as a dataset, in a re-usable format, in its entirety. How to respond to this consultation If you have concerns about the impact on yourself or other individuals, or are in favour of the proposal, you can let us know by sending an with you views to Consultations@ico.gsi.gov.uk The closing date for responses is the 8 April Publication of responses After the consultation we will publish a summary of the responses we receive as part of this small scale privacy impact assessment. Information you provide in your response to this consultation, including personal information, may be published or disclosed in accordance with the Freedom of Information Act 2000 (FOIA). If you want the information that you provide to be treated as confidential, please be aware that, under the FOIA, there is a statutory Code of Practice with which public authorities must comply and which deals, amongst other things, with obligations of confidence. In view of this, if you regard the information you have provided as confidential, it would be helpful if you could explain to us why you think this is the case. Then, if we receive a request for disclosure of

31 Annex C Consultation text the information we will take full account of your explanation. However we cannot give an assurance that confidentiality can be maintained in all circumstances. An automatic confidentiality disclaimer generated by your IT system will not, of itself, be regarded as binding on the ICO. The ICO will process your personal data in accordance with the Data Protection Act 1998 and in the majority of circumstances this will mean that your personal information will not be disclosed to third parties.