There are hundreds of thousands of databases in the UK, many of them set up by private individuals, many more set up by private companies and Government Departments.
The retention of massive amounts of personal data on individuals has become commonplace in both the public sector and private sector.
Anyone who processes personal data must comply with the Data Protection Act 1998 (DPA). The DPA sets out eight principles around the processing of data which include requirements that personal data be processed fairly, used for the purpose for which it was obtained, kept up to date, not kept longer than necessary and measures are put in place to protect against unauthorised use or accidental loss of data.
Government databases contain huge amounts of sensitive personal information about us (i.e. tax records, medical data, welfare benefits etc). Yet all too often we have seen Government Departments lose our records. This includes recent losses relating to the bank details, child benefit records and National Insurance numbers of over 30 million people.
In addition to the potential of human error, the retention of mass amounts of personal information raises the potential for data mining and data profiling.
Data mining can mean running automated searches on large quantities of personal information to throw up patterns of ‘suspicious’ or ‘abnormal’ behaviour. These ‘fishing expeditions’ can amount to surveillance without evidence of wrongdoing, presenting a threat to personal privacy.
Legislation in this area has not kept up with changes in technology and the ability now for mass data processing. We have been calling for new data protection legislation, to better regulate data retention and provide effective enforcement and greater accountability.
Some areas of particular concern are:
- the National DNA Database which contains the DNA profiles of around 5 million people, including people who have never been convicted of any offence;
- the National Biometric Identity Service database which will gradually contain the facial and fingerprint images of all people in the UK who are subject to immigration control;
- the NHS Spine and Summary Care Record which will contain all patient health records in an electronic format available unless the patient has opted out from having their record held (once a patient has opted in there is no chance to later opt out).
- the transfer of personal information across government departments, and increasingly, to private companies carrying out functions on behalf of Government.
We are not opposed to the retention of personal information on databases per se – but what is retained must be only what is necessary and proportionate. Government databases should be purpose-specific and there needs to be tighter regulation on what information is retained, for how long and who has access to it.