How to implement principle 2 of the Data Ethics Framework for the public sector.
You must be aware of legislation and codes of practice that apply to your use of data.
This includes knowing about:
- legislation that applies to your proposed data use
- how to produce statistics
- data protection by design
- data minimisation
- information governance
Other important pieces of central government guidance that are helpful for using data and designing projects in the public sector include:
- The Civil Service code
- HM Treasury Aqua Book: guidance on producing quality analysis for government
- HM Treasury Magenta Book: guidance for evaluation
What the law says
Here are some important pieces of legislation that typically apply to using data. If you are unsure how relevant laws might affect your work, speak to a legal adviser within your organisation.
If you are using personal data, you must comply with the principles of the EU General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018) which implements aspects of the GDPR and transposes the Law Enforcement Directive into UK law. It also provides separate processing regimes for activities which fall outside the scope of EU law.
Equality and discrimination
Analysis or automated decision making must not result in outcomes that lead to discrimination as defined in the Equality Act 2010.
Sharing and re-use of data
When accessing or sharing personal data, you must follow the Information Commissioner’s Code of Practice for Data Sharing which should be read alongside the ICO’s Guide to GDPR. This Code of Practice is due to be updated to align with the new Data Protection Act 2018.
When re-using published and unpublished information relating to public tasks, you must follow the Re-use of Public Sector Information Regulations 2015.
Copyright and intellectual property
Copyright and intellectual property are often governed by combinations of statutes.
When using data, respect copyright laws and database rights, covered in part by the Copyright and Rights in Databases Regulations 1997.
When procuring software, consider potential intellectual property constraints covered in the Intellectual Property Act 2014.
Freedom of information
Your use of data may be subject to the Freedom of Information Act 2000. You should also consider the wider publishing of datasets released following a Freedom of Information request, in accordance with the Protection of Freedoms Act 2012.
Sector specific legislation
Specific sectors like finance and health have further data use legislation and frameworks, including those relating to the use of non-personal data. Health research has its own UK Policy Framework for Health and Social Care Research drafted by the NHS Health Research Authority (HRA). The NHS HRA also provides specific guidance for health researchers on the new data protection principles being introduced by the General Data Protection Regulation.
When using or producing statistics, you must follow the Code of Practice for Statistics.
The National Statistician’s Data Ethics Advisory Committee (NSDEC) provides independent and transparent ethical assurance that the access, use and sharing of public data for research and statistical purposes is ethical and for the public good. The UK Statistics Authority can work with statisticians and researchers to identify potential ethical issues in their research and guide them through the NSDEC application process.
Data protection by design
Data protection by design and by default is a legal requirement under the GDPR. It means taking a holistic approach to embed data protection from design through to application of any use of personal data.
GDPR requires that anyone handling personal data protects the rights of individuals by:
- using personal data for a specific task
- putting in place technical and organisational measures to implement data protection principles effectively
- integrating necessary safeguards into the processing of personal data
This includes a commitment to completing data protection impact assessments (DPIA) (also known as privacy impact assessments) throughout the lifecycle of your project or service. DPIAs are an important tool for identifying privacy risks.
It is a legal obligation under under Article 35 of the GDPR to complete a DPIA when there’s likely to be high risk to people’s rights, particularly when using new technologies. However it is often good practice to do a DPIA for any use of personal data.
Things to think about:
always seek the advice of your organisation’s Data Protection Officer when doing a DPIA
privacy should be considered throughout the project – although you may not be using personal data at the outset of your work, the project type and privacy considerations may change as work develops
you should consider how often you will repeat the DPIA when using personal data and may need to change this if the project changes significantly
when joining a new project, seek out and review the existing DPIA to familiarise yourself with any risks to rights and freedoms identified and the relevant mitigation strategies proposed
if you discover a DPIA has not been completed for a project for which it is relevant, this should be flagged as soon as feasible
see the ICO’s guidance on DPIAs, including its Privacy Impact Assessments Code of Practice, and practical advice on doing DPIAs for data analytics
An important aspect of complying with data protection law, is being able to demonstrate what measures you are taking to ensure this (see Article 5(2) of the GDPR (the accountability principle) and Article 30 on keeping records of processing activities).
Your organisation and information assurance teams will be responsible for this at a high level including ensuring policies and training are in place. However, it is essential to show how you are doing this at an individual level, through thorough documentation of things like Data Protection Impact Assessments.
You must use the minimum data necessary to achieve your desired outcome.
Article 5(1)(c) of the GDPR states that personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. You should only use as much data as is required to successfully accomplish a given task.
The law tells us the minimum we need to do to protect the rights of citizens when using data. However, when deciding if a particular data use is ethical, we need to think beyond legal compliance only. See principle 3 (Use data that is proportionate to the user need) to evaluate proportionality.
Organisations have a responsibility to keep both personal data and non-personal data secure.
Government departments, services and public bodies set out how they use, store and share personal data including how data subjects can exercise their rights in their Personal Information Charters or service privacy notices. Personal Information Charters contain guidance on how people can access their data, as prescribed in Articles 13 and 14 of the GDPR. A useful example of a Personal Information Charter is from the Department for Work & Pensions.
The Security Policy Framework requires that risk assessments are carried out to ‘identify potential threats, vulnerabilities and appropriate controls to reduce the risks to people, information and infrastructure to an acceptable level’.
Information assurance (IA) helps do this by:
- assessing the information risks
- helping to define the appropriate measures required to reduce those risks to levels acceptable to your organisation’s risk appetite
- ensuring that contracts provide the required measures
You should engage as early as possible with your IA specialists so they can provide effective support through all stages of your work.
In many organisations information risk is overseen by a Senior Information Risk Owner (SIRO). Usually your organisation will have a risk appetite statement that sets out how information risk is managed.
You should consult with your information assurance team when you need to delete data.