There are hundreds of thousands of databases in the UK, many of them set up by private individuals, many more set up by private companies and Government departments.
The retention of massive amounts of personal data on individuals has become commonplace in both the public sector and private sector.
Anyone who processes personal data must comply with the Data Protection Act 1998 (DPA). The DPA sets out eight principles around the processing of data which include requirements that personal data be processed fairly, used for the purpose for which it was obtained, kept up to date, not kept longer than necessary and measures are put in place to protect against unauthorised use or accidental loss of data.
Government databases contain huge amounts of sensitive personal information about us (i.e. tax records, medical data, welfare benefits etc). Yet all too often we have seen Government Departments lose our records. This includes recent losses relating to the bank details, child benefit records and National Insurance numbers of over 30 million people.
In addition to the potential of human error, the retention of mass amounts of personal information raises the potential for data mining and data profiling.
Data mining can mean running automated searches on large quantities of personal information to throw up patterns of ‘suspicious’ or ‘abnormal’ behaviour. These ‘fishing expeditions’ can amount to surveillance without evidence of wrongdoing, presenting a threat to personal privacy.
Legislation in this area has not kept up with changes in technology and the ability now for mass data processing. We have been calling for new data protection legislation, to better regulate data retention and provide effective enforcement and greater accountability.
Some areas of particular concern are:
- The National DNA Database, which contains the DNA profiles of around 5 million people, including people who have never been convicted of any offence;
- The National Biometric Identity Service database which will gradually contain the facial and fingerprint images of all people in the UK who are subject to immigration control;
- The NHS Spine and Summary Care Record which will contain all patient health records in an electronic format available unless the patient has opted out from having their record held (once a patient has opted in there is no chance to later opt out);
- The transfer of personal information across government departments, and increasingly, to private companies carrying out functions on behalf of Government.
We are not opposed to the retention of personal information on databases per se – but what is retained must be only what is necessary and proportionate. Government databases should be purpose-specific and there needs to be tighter regulation on what information is retained, for how long and who has access to it.
Draft Data Protection Regulation
The retention of huge amounts of personal data raises questions about the rules which apply to those who handle it, including private companies. Our data protection laws are set to be overhauled by new proposals being considered at the European level.
The draft Data Protection Regulation offers the opportunity to introduce significant improvements in privacy protections for individuals, by creating a more meaningful definition of consent and putting in place stronger protections in terms of access, correction and deletion. The Regulation could also put in place stronger enforcement mechanisms.
Unfortunately these positive changes are in jeopardy thanks to lobbying by big business and the US Government, who seem more concerned with protecting commercial interests than safeguarding consumers.
Data Protection Directive
A Data Protection Directive is also being considered by the European Parliament, setting out new rules on the processing of personal data for the prevention, investigation, detection or prosecution of criminal offences.
This measure has received considerable opposition from the Government who are reluctant to sign up. What we don’t know is what alternatives – if any - are being considered to ensure our data is protected effectively.