Customer insight and data protection
Because customer insight often involves sharing and manipulating large amounts of personal data, it is subject to data protection laws.
Data protection laws do not stop councils holding or sharing data about people, but councils need to be specific about, and take care with, the information they collect. Sharing of personal information should be supported by a sound business case and preferably accompanied by a privacy impact assessment. This should identify the intended benefits of collecting the data and show that the council has identified and addressed any risks to data protection.
For the purposes of the Data Protection Act, a council is a single organisation and sharing information between a council's departments is not a disclosure of personal information as such. However, if a department is using information for a different purpose than that for which it is given, this is considered a secondary use and the council must comply with data protection principles. Particularly relevant are the first and second principles, which require that personal information is dealt with fairly and lawfully, and processed for a limited purpose in separate documents.
Data Protection Act, the basics - on the Information Commissioner's Office website
For most customer insight purposes, councils will only require information about trends within the community - aggregate level data, therefore personal data can be anonymised. Data should therefore be shared in a way that minimises or avoids the use of personal identifiers.
Where data is being shared between organisations, data protection laws do apply. Developing an information sharing protocol can help you and your partners work through what can and can't be shared and start to set up the flow of information. Both partners should then adhere to this protocol and staff should be trained in applying it in the council and any partner organisations.
Partner organisations in Dorset have developed a protocol which could usefully be applied to other local areas. This includes a checklist for where information can and should not be shared and flowcharts to identify when information sharing is viable.
Dorset Over-arching Information Sharing Protocol news release - on the Dorset Police Force website
Additional sources of information and guidance on data protection and handling
- Government Connect support and data handling guidelines for local government
- Privacy impact assessment guidance - on the Information Commissioner's Office website
- Data protection guide - on the Information Commissioner's Office website
- Data protection tools and resources - a list of specialist guidance on the Information Commissioner's Office website
- Local government data handling guidelines - on the Local Government Association (LGA) website
26 July 2010