Busting Data Protection Myths Part 2
In my previous blog, I addressed a number of data protection myths. There are many more. Another common myth is that data protection interferes with the ability of the police to investigate crimes effectively. That is incorrect; there is an exemption in our data protection law to enable the police to collect, use and disclose personal data that is relevant to the prevention, detection or investigation of crime (including the apprehension and prosecution of individuals). The law also permits public authorities and businesses to disclose personal data to the police to assist with any investigation. There is another exemption regarding subject access requests that permits the police to refuse to disclose information that would damage an investigation. (There is a similar provision in the Freedom of Information Law (Jersey) 2011.) Individuals should not use legal rights of access to information to obstruct an active investigation.
This does not mean, however, that police have unbridled access to personal data. They are able to collate any personal data that is/may be relevant to an investigation, but they are not entitled to conduct a ‘fishing’ expedition without probable grounds. When police request personal data from a public authority or private business, they should provide the organisation with sufficient information to establish that they are conducting a formal investigation. In some cases, quoting a police file number would be sufficient. In other cases, it might be necessary to produce a warrant. Officials disclosing information to police must be able to demonstrate that they had reasonable grounds to believe that the information was relevant to a formal investigation. Officials should not use data protection as a blanket excuse not to provide information to police. If they are in doubt about whether the law permits disclosure, they should contact their data protection officer or call our office.
There is a similar misconception that data protection laws put national security at risk. All data protection laws make provision for the processing of personal data for purposes of protecting national security. There is no need for new national security laws to override the data protection laws. Current laws enable authorities to collect, use and disclose all of the personal data required to meet their specific needs. Nevertheless, some security services desire the authority to collect information that is not relevant to protecting national security, just in case it might be useful in future. Data protection laws strike the right balance between preserving national security and protecting the human rights of innocent people. Information should be available on a ‘need to know’ basis, not a ‘just in case it might be useful in future’ basis. Reports from the United States have indicated that personal data collected allegedly for national security purposes has been used for other purposes.
Another myth is that community services caring for mutual vulnerable clients cannot share personal data or discuss coordinated care. Whether it involves children or adults, these organisations may share personal data for providing services to their common clients. There may be some cases where the client objects to this sharing. This does not mean that the law prevents sharing their information in these cases. However, service providers should take into account the wishes of the clients when determining whether to share their information. In the context of integrated services to clients, it is useful to draft an information sharing agreement that sets out what information may be shared by which organisations for what purposes. Parties drafting the agreement should involve data protection experts to ensure that that the proposed sharing conforms to the Data Protection Law. The agreement is a useful resource for staff in the field to refer to whenever they receive requests to share data.
As we can see from the numerous examples I have provided, fears about the harm of data protection laws are largely unfounded. Drafters took time and effort to examine all of the possible circumstances where it would be in the public interest to process personal data, even without the consent of the individual. They consulted widely to ensure the laws would not hamper the provision of important services to individuals and the community in general. They facilitate getting the right information to the right people at the right time for the right purpose. Where problems exist, it is with the understanding about the laws. Some people believe that they prevent certain types of processing that in reality is legal. If you believe that someone is inappropriately preventing the processing of personal data on the grounds of data protection, ask to speak to their data protection officer or call our office.
*JOIC welcomes suggestions for future blog topics. Have you got a suggestion? Please email firstname.lastname@example.org