IP, Technology & Data

The Scottish Government’s proposals for allowing more than 100 public bodies share data using each citizen’s unique NHS number have raised concerns about the creation of a national ID database by the backdoor.

Despite headlines to the contrary, the proposals are not intended to create a new database. Nor will they suddenly lead to extensive sharing of sensitive data between Scottish public authorities. Instead, they are intended to use a pre-existing national database to enable more effective data sharing between and accurate data retention by Scottish public authorities.

Why the NHS register?
The NHS Central Register (NHSCR) is a register of all individuals registered with a GP in Scotland. It is generally considered to be the most accurate and complete record of individuals living in Scotland.

The NHSCR is currently used to enable the efficient and accurate sharing of data between the various Scottish health boards and those involved in the delivery of health and social care. Using a unique reference number should reduce the risk of patient records and sensitive information being mixed up. The NHSCR is simply that, however; the register does not itself contain any medical records.

Data sharing in the public sector
To date, data sharing in the public sector has largely taken place on a piecemeal basis, based on a mix of express statutory obligations to share data and non-statutory initiatives by public sector bodies to use data sharing to improve the accuracy and quality of services that they deliver to citizens, and improve cooperation and collaboration between various agencies.

However, the absence of a common unique citizen identifier can reduce the effectiveness of such data sharing, as it is not always possible to tie particular data to the correct individual. That in turn could create inaccuracies and inefficiencies, which in turn could lead to dots not being joined up or incorrect assumptions being made.

The proposals
Under the proposals, the legislation underpinning the NHSCR would be amended. There are four key proposals:

  • Improving data quality in the NHSCR by removing the restriction on holding postcode and address information,
  • Widening access to the NSHCR for the purposes of tracing missing persons and to enable the tracing of non-Scottish residents receiving treatment from the NHS in Scotland
  • Assisting with identify verification for the purposes of the Scottish Government’s new single sign-in service (“myaccount”) for online services provided by the public sector in Scotland, and enabling the effective use of myaccount by the public sector in Scotland (for example, avoiding the creation of duplicate accounts and inconsistent records)
  • Providing an accurate record of Scottish residents for the purpose of HMRC’s administration of the new Scottish Rate of Income Tax (SRIT) with effect from April 2016, thus avoiding the need for the creation of a new database of Scottish residents simply for the purpose of administering the SRIT.

Interestingly, the draft legislation proposed the consultation paper does not limit access by other public sector bodies specifically for the purposes of utilising myaccount. It appears therefore that the listed bodies could utilise the NHSCR for the purposes of verifying the accuracy of any information held by them in relation to citizens for other purposes.

What the proposals do not do
What the proposals would not do is to legislate for or enable the extensive sharing of personal information relating to citizens in Scotland beyond the core information held in the NHSCR. The proposals make it clear that only specified information may be shared for the purpose in question (though note my comment above about the absence of any specific reference to myaccount.

In particular:

  • The authorities involved will still need to establish a legal basis for the data sharing under data protection legislation if there was no clear statutory reason for doing so.
  • The recipient organisation will still be bound by its obligations as a data controller under data protection laws to ensure that the data being shared is only used for lawful purposes, kept up to date, secure and not retained for longer than is necessary
  • The authorities involved will still need to ensure that they have in place a written data sharing agreement regulating the proposed sharing of data.

Addressing data privacy
As part of its privacy impact assessment under data protection legislation, the Scottish Government will need to ensure that any adverse privacy impact of increased access to the NHSCR is properly considered and justified, with appropriate steps taken to mitigate any risks.

This will include taking steps to ensure that appropriate measures are in place to keep the NHSCR secure and used only for the specified purposes and to ensure that access to the database is properly controlled.

It’s notable that the Scottish Government’s consultation paper questions are focussed on solely on the effectiveness and appropriateness of opening up access to the NHSCR to achieve the aims set out above, rather than data security. Given the benefits to citizens of more effective and accurate records within the public sector (and the advantages to citizens of a single sign-in for a myriad of online public services), the answers to these questions may be taken as a given.

Assuming that the proposal goes ahead, it will be interesting to see how the Scottish Government proposes to address those concerns.

Follow me

Martin Sloan

Partner at Brodies LLP
Martin is a partner in Brodies Technology, Information and Outsourcing group and has wide experience of advising clients on technology procurement and IT and business process outsourcing projects. Martin also advises on data protection (including the GDPR), and general technology and intellectual property law, and has a particular interest in the laws applying to social media and new technology such as mobile apps, contactless/mobile payments, and smart metering.
Follow me