Wednesday, 14 September 2011

UK transparency & privacy review

The independent review of the impact of UK government transparency on privacy, commissioned by the Cabinet Office and led by Dr Kieron O'Hara, is now out:

Comments are invited, to privacyreview@cabinet-office.gsi.gov.uk. No deadline date seems to have been given. (The public consultation on open data, launched in August,  is still open - deadline 27 Oct 2011.)

Conclusions

  • Privacy is extremely important to transparency. The political legitimacy of a transparency programme will depend crucially on its ability to retain public confidence. Privacy protection should therefore be embedded in any transparency programme, rather than bolted on as an afterthought.
  • Privacy and transparency are compatible, as long as the former is carefully protected and considered at every stage.
  • Under the current transparency regime, in which public data is specifically understood not to include personal data, most data releases will not raise privacy concerns. However, some will, especially as we move toward a more demand-driven scheme.
  • Discussion about deanonymisation has been driven largely by legal considerations, with a consequent neglect of the input of the technical community.
  • There are no complete legal or technical fixes to the deanonymisation problem. We should continue to anonymise sensitive data, being initially cautious about releasing such data under the Open Government Licence while we continue to take steps to manage and research the risks of deanonymisation. Further investigation to determine the level of risk would be very welcome.
  • There should be a focus on procedures to output an auditable debate trail. Transparency about transparency – metatransparency – is essential for preserving trust and confidence.

Recommendations

"…which are intended to implement these conclusions without making too strong a claim on resources":
1. Represent privacy interests on the Transparency Board.
2. Use disclosure, query and access controls selectively.
3. Include the technical paradigm.
4. Move toward a demand-driven regime.
5. Create a data asset register.
6. Create sector transparency panels.
7. A procedure for pre-release screening of data to ensure respect for privacy.
8. Extend the research base and maintain an accurate threat model.
9. Create a guidance product to disseminate best practice and current research in transparency.
10. Keep the efficacy of control in the new paradigm under review.
11. Maintain existing procedures for identifying harms and remedies.
12. Use data.gov.uk to raise awareness of data protection responsibilities.
13. Investigate the Vulnerability of Anonymised Databases.
14. Be transparent about the use of anonymisation techniques.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.