Data sharing in the public sector has become a pivotal aspect of governance, enhancing service delivery, policy development, and decision-making processes. However, the practice of sharing data, particularly data that requires particular protections, such as children’s data or special category data like health data, is a double-edged sword.
While it can lead to significant public benefits and is paramount to safeguarding children in certain situations, it also raises substantial concerns about privacy and data protection.
This blog explores the multifaceted nature of data sharing within the public sector, highlighting instances where frameworks have been implemented successfully, where processes have faltered, and the inherent challenges and ethical considerations that should be addressed before sharing data with other organisations.
The Good: Benefits of data sharing
Perhaps the most obvious benefit of data sharing is that it can considerably improve a customer’s experience as well as the operational efficiency of the organisations involved. Healthcare organisations, for instance, have greatly benefited from implementing data sharing frameworks. The NHS’s use and sharing of electronic health records (EHR), accessible by GPs, hospital staff, and now secondary care workers, can considerably improve a patient’s experience. These records allow for an improved standard of safety for patients, for example, by making comprehensive allergy records and diagnoses available to key staff. This then reduces the need for professionals to repeat tests, saving both time and money for the NHS as well as protecting patients from unnecessary risks. This data can then be used further to bolster the service’s capabilities by identifying patterns and allowing the NHS to apply its limited resources to the most impactful areas.
A secondary benefit of the EHR system is that with recent initiatives to create comprehensive patient records, public sector organisations would be better positioned to safeguard their most vulnerable clients. Liverpool’s Family Build System is an example of how sharing such data can benefit its end users. By integrating various data sources, predominantly about adults, the system assists social workers in assessing the risk levels of children. It can then help social workers identify which families are most in need of their services. Again, this demonstrates how data sharing can be used to improve an organisation’s efficiency while adding value to the data subject’s experience. A win-win situation.
The Bad: When Data Sharing Goes Wrong
Not all data-sharing initiatives have had positive outcomes. The misuse or unauthorised access to shared data can lead to privacy violations and erode public trust. A notable incident involved the Department for Education giving improper access to intelligence company GB Group, who used schoolchildren’s data to verify whether individuals opening gambling accounts were 18. Were it not for the ICO’s hesitation to put pressure on public funding, the Department would have been fined £10 million. The 2020 ICO audit of the Department resulted in 139 recommendations. It was also revealed that the Department shared a database of such information with 12,600 organisations. This led to the organisation coming under fire from children’s charity Defend Digital Me as well as drawing public outrage that children’s data could be accessed for such inappropriate means, highlighting the dangers of sharing data improperly.
The sharing of data that should be afforded particular protections has also raised legal and ethical concerns. In May 2023 there was outrage when it was uncovered that NHS trusts were sharing special category data, collected through a covert tracking tool operated by Meta Pixel, without notifying their users. This data could then be used by Meta Pixel’s parent company, Meta, for its own business purposes. Such data included IP addresses and connected Facebook accounts of users who clicked a link to access mental health support services, or accessed information related to living with HIV. This raised major ethical concerns as it was revealed that 22 million UK users were affected. However, no legal action was taken as Meta Pixel shifted the blame to the Trusts by insisting that they should have properly set up the tracking tool to enable filters that would prevent such data being shared.
Some of the Trusts claimed a lack of awareness of the tool and its data sharing capabilities.
By not adhering to key data protection principles, both the Department for Education and NHS Trusts involved in these data sharing disasters are likely to face issues with consumer trust going forward. A lack of compliance from an organisation equates to a lack of trust from the consumer. In the public sector, this can be especially damaging as, according to a Deloitte survey, 44% of UK adults already do not trust government organisations with their personal data.
The Downright Ugly!
One of our team recently went to a hospital appointment, and on entry to the Consultant’s room, was told that she would be required to give her consent so the Consultant could open her medical notes.
She was asked to read a consent statement and tick the box (on the Consultant’s computer), before being asked to check her emails (on her personal phone) to look out for an authorisation code. After ten minutes of frustrating back and forth – with the email not going through – the Consultant said that she may not be able to look at all of her medical history. Luckily, the code eventually came though, and the Consultant could then verify the authorisation/consent, and as such, access the medical records.
Why choose consent?
This begs the question… what were they thinking when that system was introduced?
Why would the Trust think that the lawful basis for processing the data could possibly be consent, when the patient has actively gone to the hospital for an appointment? As Barry Moult finely says, when thinking about data sharing in healthcare, use the rule, ABC. ‘Anything But Consent’.
The public has shown good faith in healthcare organisations sharing their data; Healthwatch reports 77% of adults are confident in the NHS’s ability to protect their data. It is important not to misspend this goodwill by relying on the wrong legal basis for processing.
One lawful basis that may spring to mind is vital interest. It is most prevalently linked to the medical field, but usually only applied in situations of life and death – not for checking into a hospital for a visit.
Something more suitable would be a reliance on processing the data for a public task. As the NHS is a public body established by the NHS Act 2006 and Health and Social Care Act 2012, their business is based upon statutory powers which underpin their legal bases for processing data under GDPR. Naturally, much of the processing that the NHS conducts relies on this basis. This requires thorough justification, all of which must be documented. While it may seem like a pain to use robust data governance frameworks, it is important for both individual privacy and ethical considerations, particularly in this setting, where special category data is being processed.
Moving Forward: Striking the Right Balance with data sharing
To harness the benefits of sharing data within the public sector while mitigating its risks, it is imperative to establish strong data protection and governance frameworks. This includes implementing clear guidelines on data minimisation, purpose limitation, and lawful bases; ensuring transparency in data-sharing practices; and investing in secure data-sharing technologies.
Fostering a culture of data ethics within any organisation is essential. The development of data-sharing initiatives can enhance trust and accountability. The ICO provides a useful toolkit of resources that can be used within your organisation to help foster a culture of safe data sharing, particularly data concerning children.
While data sharing in the public sector presents both opportunities and challenges, navigating its complexities requires a careful and balanced approach. By prioritising data protection and ethical considerations, public sector entities can leverage data sharing to serve the public interest effectively, ensuring that the benefits far outweigh the risks. The lack of awareness around tracking tools with data sharing capabilities (such as Meta Pixel) highlights the importance of having well-informed and trained staff.
If you need further support, book a call now to talk to a Consultant at DPAS.
Our services include:
- Data Sharing in the Public Sector Training
- Drafting of Data Sharing Agreements
- DPO Services (let us help you)
