The official version of this document can be found via the PDF button.
The below content has been automatically generated from the original PDF and some formatting may have been lost, therefore it should not be relied upon to extract citations or propose amendments.
Scrutiny Sub-Panel Scrutiny Office Morier House Halkett Place
St Helier
Jersey
JE1 1DD
24 June 2007
Dear panel members,
Whilst the Scrutiny panel rightly raises the question regarding privacy and uses of data, I would like not only to express my views on this matter, but also provide the panel with a clear definition of the technical system devised.
I do this as I was, in my former role as IS Director for the States, one of the architects of the proposed technical solution, which was developed in conjunction with colleagues within the Chief Minister's department. There has been some confusion about this solution and I am keen to ensure that the panel is afforded the opportunity to understand it. I am not now party to any potential changes in approach that may be forthcoming, but I hope these notes may be of some use.
We took great pains to ensure that the technical solution was simple and fit for purpose, but would also provide a mechanism that could operate effectively where minimal data sharing and exchange was possible.
The technical model makes use of two types of system and understanding the difference in function of each is crucial. The two types of system can be confused, which is why I am at pains to describe the function of each as clearly as possible. In recent months the terms "population register" and "population database" and "population office system" have to some extent been used interchangeably – they should not be as it is the very difference between these systems and terms that guarantees compliance with Data Protection legislation and safeguards individuals' information.
Population Database
The proposed solution recommends the development of a database designed to hold minimal information – just sufficient to identify one person as being distinct from another: name, aliases, date of birth, address, etc. Added to each record would be a unique number assigned to each person for Population Office purposes (but it could be applied to other systems too, under correct control) and the address would be the unique property reference number to link the data to the Jersey Land and Property index, already in wide use. This "Population Database" contains no other information: no medical records, no tax data, no social security data, and so on.
Population Register and Population Office System
The register is the core information that will allow the Population Office to undertake its statutory duty. For each person in the Island a record will be held that identifies residential licence and status, employment entitlement, etc., in line with the legislation. The link between this and the Population Database (above) is the unique person number. This database, therefore, does contain business information, but will be held and used exclusively by the Population Office – i.e. no other department would have access to this (in the same manner as medical records are kept for the exclusive use of the Health and Social Service department).
The Population Database (the thin data record described above) can be shared across government departments and there are very good reasons why this should be done. Firstly, such information, name, address, date of birth, etc., is already stored on electronic systems in many departments, but there are inconsistencies and inaccuracies across the States. Secondly, maintaining knowledge about who is resident in the Island can be achieved by allowing departments in regular contact with the public or employers (H&SS, Social Security, Income Tax, etc.) to report the unique person identifier numbers of those people with whom they have been in contact (last month, last quarter, etc.), to the Population Office. Someone who has not "touched" a States department in such a manner for a given period (say 2 years) might have left the Island, for example. Trying to force people to announce formally that they are leaving the Island is just a non-starter, so this proxy method seems a reasonable and pragmatic approach. This would not be a matter of public record, but for Population Office information only. Thirdly, and perhaps most importantly, when departments have aligned their internal, secure, business databases with the Population Database the common use of the unique person identifier will allow departments that already have the rights (under their respective data protection registrations) to share information, to be completely sure that they are exchanging information about the same person. Such alignment does not open this data up to any wider use than at present.
The point is that such exchanges already take place quite legally, but keyed upon names and addresses etc., this new method allows greater accuracy and reduced maintenance.
It has been proposed that the uses to which the Population Database is put should be subject to formal approval by the Data Protection Commissioner – i.e. there would not necessarily be an automatic right for departments to link to this (thin) database – and that such usage information should be published. So, departments would have to "opt-in". In addition, an individual should be entitled to view and challenge the entry pertaining to them.
Whilst the panel will, no doubt, wish to explore this in more detail, in summary, the proposed solution protects individuals' information (no business or confidential information is shared), it does not require an identity card (but can operate with one if that is the direction desired), and offers additional benefits to government than just simply building a single system for the Population Office. As such it is a better model than the monolithic database proposed by the UK government and should serve the Island well.
Turning finally (and at long last I hear you say) to the two questions posed:
"What is the correct balance between the amount of information the Government
should hold on you, and your right to privacy? What uses should the Population Register have?"
Across government all sorts of information is held about an individual: education records, financial records, medical records, etc. All are required for the purposes of government. It is more efficient for government and thus cheaper for tax payers, if the common information (name, address, date of birth, etc.) is stored once and maintained through a variety of channels in a single place. The States has some 200 name and address databases – cutting down on the need to maintain all of these will be a significant saving. The proof of this, if proof is needed, is that in the testing work already done against various name and address databases, corrections need to be applied to some 70% of the data. In an information-based society, greater accuracy improves efficiency.
Despite the nature of the model described above, I do believe that there should actually be a wider sharing of data across States departments, all except, perhaps very specific information. The reason for sharing is that it would allow public services to be delivered better in single places across the States rather than requiring people to go to Social Security for one thing, and to Planning for another, and so on. How much better for public service would it be if one could obtain a driving licence, submit a planning application and schedule an outpatient's appointment by going to either the Customer Service Centre (Cyril Le Marquand House), or the Planning and Environment Department, or the Hospital (or, indeed, elsewhere)? The technology is available, controls and safeguards are not difficult, just the will is needed.
The beauty of the technical model described above is that it can enable wider sharing of information, or it can provide strict control over data sharing if that is what is agreed. Such sharing then becomes possible, as today, under the correct and proper data protection control.
In terms of what uses the Population Register should have, well that depends upon the definition given to the register. In my definition above, it forms part of the Population Office systems and should only be part of the Population Office. If this refers to the Population Database, then its use should be States-wide for the purpose of identifying one person as being unique and distinct from another.
The real benefit and the real challenge is to find the right amount of information that can be shared that will improve government's efficiency – it can be done given the right thought and care.
If the panel requires clarification on any of the above, then I would be prepared to explain further, but I would not wish to tread on the toes of any representative from the Chief Minister's department as the thinking may now have moved on.
Yours faithfully,
Dr S F Chiang
(sent electronically, thus not signed by hand)
Corporate Services Scrutiny Sub-Panel
The Population Register is coming What do you think?
The Island will soon be introducing a Population Register, which will record information on all of the Island's residents, and provide a record of Jersey's total population. The Scrutiny Sub-Panel is reviewing the Data Protection and legal implications of these proposals.
What is the correct balance between the amount of information the Government should hold on you, and your right to privacy?
What uses should the Population Register have?
This is your opportunity to tell us what you think
The Sub-Panel invites informed comments from the public on these proposals. Submissions should be sent to the following address to arrive no later than Monday 25th June 2007.
Scrutiny Office, Morier House, Halkett Place, St Helier, JE1 1DD Email: scrutiny@gov.je
Tel : 441080 ; Fax: 441077 ;
Or posted on the Forum on the Scrutiny website at www.scrutiny.gov.je/forum.
All written and oral submissions will be uploaded to the Scrutiny website as a matter of course with the exception of any evidence received under a confidential or private agreement which in accordance with Jersey Data Protection legislation will not be released into the public domain.