ID Card Fail

[Ross Anderson]

Peter Tomlinson wrote:

> Recently I was at an IAAC [1] WG where a person from Ministry of Justice (sounds like a pop group)  passed an opinion to the effect that they don't think the population have any "theological objection" to sharing of our personal data across al govt depts.

As it happens, I just this morning gave a talk on this at Anglia.

The majority of UK citizens, according to repeated opinion polls, object
to the proposition that their personal health information should be 
collected and mae available for research without their consent. Most
people are prepared to say yes if asked, but most will object if not 
asked.

In October last year the European Court of Justice agreed. In I V 
Finland it ruled that you have the right to restrict your medical
records to the clinicians directly involved in your care.

This is actually a show-stopper. The government cannot fix it with
the majority; to escape it a UK government would have to withdraw 
from the Council of Europe, repeal the Human Rights Act, and quite
possibly leave the EU. Let's face it, it's not going to happen.

Instead, public sector organisations should obey the law - even if 
they don't like it - and plan to develop future systems (and if 
need be redevelop existing ones) to be ECHR-compliant. That means,
quite simply, that sensitive information cannot be shared without
consent except in specific and narrowly-defined circumstances, as
discussed in FIPR's 2006 report on Children's Databases and 
elaborated in judgments since (Finland, Marper etc)

Ross