Data protection essential for e-government plan

"If you do not wish to receive further information, please tick the box," says the small print

"If you do not wish to receive further information, please tick the box," says the small print. The Data Protection Act lays out the rights of individuals to control how their personal information is treated. If an organisation wants to keep personal data on computer, the information must be obtained and processed fairly, must not be kept for longer than necessary and must only be used for the purpose for which it was given.

These regulations mean that the Government's plans for a central public services broker - a computer data vault that will store information about citizens and build personal profiles - must include security measures to prevent one public service agency gaining unauthorised access to information relating to a person's transactions with a different department.

The Reach initiative, which aims to provide public services to individuals and businesses online through a single access point, will act as a "one-stop shop" for those who want to avoid queues and cut down on paperwork. Ms R≤is∅n Doherty, Reach senior systems project manager, says that "total customer control" is at the heart of the e-government strategy.

"It's not a case of what data privacy issues are going to be raised, it is more a case of how they are going to be resolved," she says.

READ SOME MORE

The public services broker will give customers "as much control as possible" over the release of data from their personal data stores.

All accesses to personal data will be recorded and staff will be unable to view personal profiles unless the customer grants permission by keying in a PIN or password. "As things stand, an individual may not be aware of how public agencies use their information - they don't know who is going to see it," says Ms Doherty. "But through Reach, they can be secure in the knowledge that the agency has to go through a security mechanism to prove they are entitled to know X, Y and Z about a person.

If a person who is applying for child benefit agrees to release their information, then they will know that it is for the purposes of applying for that service and purely for that reason."

It is the right of consumers to opt out of secondary or future uses of their personal information. Data Protection Commissioner, Mr Joe Meade, stressed in his annual report that re-directing existing records held by the Department of Social, Community and Family Affairs for the new purpose of a central public services broker would breach the "fair obtaining" principles of data protection.

Instead, there should be a "re-registering" of citizens, with individuals able to provide only "core" data such as name, address, date of birth and personal public service number, and choose if they want to deal with State bodies "on a case-by-case basis in the traditional way".

In other words, this Government may send you information about new services: if you want to be removed from the list, please tick (or click) here.

In the US, where consumers do not possess the same level of data protection rights, public and private organisations may sell personal data to third parties, such as direct marketing companies, who then target particular groups.

"Someone might come to a big government department and say 'I've got this idea for a service and someone of a particular profile would be interested in availing of this service, so why can't I use this information?' " says Ms Doherty.

If your letterbox is stuffed with junk mail or your inbox clogged with its electronic equivalent, spam, then either you forgot to tick the appropriate box or your rights to data protection are being ignored.

But consumers might not always be handed the evidence through their front doors or even know if the "keep out" sign on their data is being respected.

Section 8 of the Data Protection Act allows for the disclosure of personal data "for the purpose of preventing, detecting or investigating offences", including tax and social welfare fraud.

In Britain, one suggested use of e-government databases is an online cross-check of applicants for taxi licences with recipients of social welfare benefits.

Here, the Data Protection Commissioner is cautious about the extent to which the public services broker should be used to combat fraud. It would be "inappropriate" to allow the broker to be used as "a universal anti-crime database", or to subject all citizens to automatic screening.

"The public services broker should be there to help citizens get better public services," according to Mr Ronnie Downes, assistant data protection commissioner. "It should not be used as a mass surveillance system."

Since the terrorist attacks on September 11th, the possibility that personal data could be used to create a secret surveillance system has become more likely.

In Europe, preventing an all-knowing, all-seeing state from using computer technology in this way a driver behind the development of data protection law.

The EU Council of Ministers will need to pass new legislation to allow for the "blanket retention" of internet, e-mail and telephone records.

These "electronic fingerprinting" techniques may be one reason, according to the National Consumer Council (NCC) in Britain, why consumers are uneasy about the amount of personal information that is held on them - and how it will be used by businesses and government.

An NCC survey published last month shows that two-thirds of people in Britain do not know how to complain about the misuse of their personal information.

In the Republic, however, the number of formal complaints dealt with by the Office of the Data Protection Commissioner increased from 105 in 1999 to 131 in 2000.

"Irish people are quite conscious of their rights and this is borne out by the trend in the level of complaints," says Mr Downes.

"In an ideal world, we will be looking forward to a reduction in the number of complaints," he adds.

"But it is not possible to overestimate the importance of data protection. Without it, the electoral register could be linked with the telephone directory or health databases, and individuals would have no privacy."

Laura Slattery

Laura Slattery

Laura Slattery is an Irish Times journalist writing about media, advertising and other business topics