Out-Law / Your Daily Need-To-Know

Out-Law News 3 min. read

A quarter of Government's databases are probably illegal, says report

The UK has become a 'database state', collecting more data than other countries and organising them in databases which, in almost a quarter of cases, are illegal, according to a new report. Eleven of the UK's 46 databases almost certainly break the law, it says.

A review of the UK's public databases has been published by The Joseph Rowntree Reform Trust (JRRT), an independent body that promotes political reform and aims to boost the rights of individuals.

The Government has pursued a policy of collecting and centrally storing personal information because it believes that it will help it to deliver services more efficiently and improve national security. Databases being built include the NHS's detailed care record, the national identity register that would lie behind the ID card and a national DNA database.

"In too many cases the public are neither served nor protected by the increasingly complex and intrusive holdings of personal information invading every aspect of our lives," said the report. "A quarter of the public-sector databases reviewed are almost certainly illegal under human rights or data protection law; they should be scrapped or substantially redesigned."

The report was produced for the JRRT by consultancy Foundation for Information Policy Research (FIPR). It counted and assessed the 46 databases operated or being built by the Government and found them mostly wanting.

"More than half have significant problems with privacy or effectiveness and could fall foul of a legal challenge," it said. "Fewer than 15% of the public databases assessed in this report are effective, proportionate and necessary, with a proper legal basis for any privacy intrusions. Even so, some of them still have operational problems."

Only six of the 46 databases were found by the FIPR to operate properly. These included the TV licensing database and the national fingerprint database, two that have been operational for a long time. They were judged to be 'green' by the report.

"Green means that a database is broadly in line with the law. Its privacy intrusions (if any) have a proper legal basis and are proportionate and necessary in a democratic society," it said. "Some of these databases have operational problems, not least due to the recent cavalier attitude toward both privacy and operational security, but these could be fixed once transparency, accountability and proper risk management are restored."

Databases judged to be 'red', which means they are probably illegal, include the national DNA database, the national identity register and the NHS detailed care record.

The report said that it was not the case that this number of failed databases are necessary in a modern state. Other countries avoid the mistakes that the UK makes, it said.

"Britain is out of line with other developed countries, where records on sensitive matters like healthcare and social services are held locally. In Britain, data is increasingly centralised, and shared between health and social services, the police, schools, local government and the taxman," it said.

The report outlined the steps that Government should take to solve the database problem.

"Government should compel the provision or sharing of sensitive personal data only for strictly defined purposes, and in almost all cases, sensitive data should be kept on local rather than national systems," it said.

"Citizens should have the right to access most public services anonymously. We have been moving from a world in which departments had to take a positive decision to collect data, to one where they have to take a positive decision not to. This needs to be challenged," said the report.

Rosemary Jay, a privacy law expert at Pinsent Masons, the law firm behind OUT-LAW.COM, said that it would help privacy practitioners to see more detail on how the report was constructed.

"No doubt sitting behind it is a methodology which was applied to each dataset. It would be useful to see this. Given the vast number of datasets it covers and the variety between them – there is no comparison in scale between [NHS database] NPFiT and a local government CRM system – it is at most a starting point. But as a starting point deserves to be taken seriously."

"The colour coding may grab headlines but is inevitably crude and in fact for databases which have not yet been put into operation or are still under development, may be regarded as unrealistic," she said. "It will be a shame if the use of the colour codes alienates the constituencies that need to be persuaded of the need to look at our growing sets of databases."

"Importantly the report illuminates how little regulatory control there has been over this movement because of the restrictions on the UK's privacy regulation," said Jay.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.