Scotland's New Privacy Principles

First published: 02^nd December 2010

Scotland is introducing privacy principles to control the amount of personal information collected by public-sector organisations. They are:

• Proving identity or entitlement: people should only be asked for identity when necessary and they should be asked for as little information as possible
• Governance and accountability: private and voluntary sectors which deliver public services should be contractually bound to adhere to the principles
• Risk management: Privacy Impact Assessments should be carried out to ensure new initiatives identify and address privacy issues
• Data and data sharing: Organisations should avoid creating large centralised databases of personal information and store personal and transactional data separately
• Education and engagement: Public bodies must explain why information is needed and where and why it is shared

They are likely to become a benchmark for all public bodies in the UK. The principles take the Personal Data Protection principles laid down by the OECD, and used in legislation such as Hong Kong's PDPO, to a more specific, operation level, actually specifying that people should only be asked for identity when necessary, and risk management should be considered.

Yui Kee Chief Consultant, Allan Dyer, commented, "Some Government departments in Hong Kong would do well to look at these, for example, the eTAX hotline asks for a caller's HKID card number when the problem is pre-login on their website."