An Open Letter to John Swinney
Dear John Swinney,
I sat in the gallery yesterday to watch the debate on Privacy and the State. As a member of the Open Rights Group, I have a keen interest in the subject.
The Identity Management and Privacy Principles, published in October 2014 with your name on the foreword, states in Section 4.6:
If a public service organisation needs to link personal information from different systems and databases (internally or between organisations), it should avoid sharing persistent identifiers; other mechanisms, such as matching, should be considered.Willie Rennie and Patrick Harvie drew attention to the proposal that stakeholders should share the Unique Citizen Reference Number (UCRN). Using the UCRN as a key would link multiple databases, in effect forming a super-database, which is what concerns those who object to the plan. In your closing speech, Harvie intervened to ask you to acknowledge that the proposal breaches the Scottish Government's own guidelines. You responded:
I do not believe that the proposal breaches the data privacy principles that we set out.Time was short, so you said no more, but I invite you now to elaborate on your bald denial. The proposal certainly appears to contravene the principle advocated by your own document---how can you claim it does not?
It is not only your own guidelines which question your plan. The British Medical Association and the Royal College of General Practitioners have raised concerns about sharing information collected by the NHS with HMRC, and the UK Information Commissioner has warned that the proposal may breach European and British data protection laws. Both these criticism were raised during the debate, but ignored by you---I invite you to answer them as well.
There are ways forward that meet the needs of government and citizens that are far less problematic. I welcome your offer to review the proposals, and I hope that in light of these criticisms the Scottish Government will rethink its plans.
Professor of Theoretical Computer Science
School of Informatics
University of Edinburgh
Minutes of the debate on Privacy and the State
Identity Management and Privacy Principles
Report of the debate from BBC News