Scottish gov't plans personal data cull
The proposal has come as part of a consultation on identity management and privacy principles in public services. They are aimed at raising confidence in the management of personal data, amid fears that a growing dependence on centralised databases has created substantial risks to privacy.
A spokesperson for the government said the proposals would not lead to any statutory measures, but that there has been wide buy-in from public bodies and that the government would expect it to be adapted by all of the Scottish public sector.
Among the key proposals is that public sector organisations should minimise the personal information they hold, acquiring it only when there is a specific need and ensuring it is held only as long as necessary for the purpose.
The document also says organisations should seek to avoid creating large centralised databases of personal information, and if there is a genuine business need, to rely more on pulling together information from more than one source. In addition, personal and transactional data should be stored separately, and data should only be shared between organisations if strictly necessary. It says these measures would reduce the risk of data being abused.
Other significant proposals include:
* Only asking people for their identity when necessary and confining the request to as little information as possible;
* Asking them to identify themselves just once;
* Carrying out privacy impact assessments to ensure new initiatives address privacy issues;
* Demonstrating that personal information can only be accessed by staff who need it;
* Keeping records of access to personal information;
* Requiring private and voluntary bodies that deliver public services to stick to the principles; and
* Public bodies should explain why information is needed, and where and why it is shared.
Scotland finance secretary John Swinney said: "Public services which store and manage people's identity information must respect the privacy of individuals. Recent incidents where data has not been treated with due care are regrettable and avoidable. I want the public to feel confident that data is secure and their privacy is safeguarded."
"These guiding principles are aimed at everyone who is responsible for complying with requirements to protect personal information. The principles are important and relevant to a wide range of public sector staff — both those who deal directly with the public and also staff involved in designing and operating systems."
"This is about embedding principles and instilling further confidence in public services. I want a range of staff across the Scottish public sector and beyond to engage with us and help refine these draft principles to ensure Scottish public services are effective and secure."
Ken Macdonald, assistant information commissioner for Scotland, welcomed the move and said all public bodies should ensure data protection is an important part of their corporate governance.
The consultation for the proposal will run until 23 November, and the Scottish government hopes to publish the final principles as early as possible in the new year.