One quarter of British databases ‘almost certainly’ illegal

Database State was released by The Joseph Rowntree Reform Trust Limited and compiles the findings from a panel of experts that includes Ross Anderson, chairman of the Foundation for Information Policy Research and Ian Brown, a senior research fellow at the Oxford Internet Institute.

The scathing study declares that one in four British databases are almost certainly illegal according to human rights or data protection law, and adds that fewer than 15% of databases in operation are ‘effective, proportionate and necessary’.

The databases are categorised within the report into a ‘traffic light system’. A quarter of all databases make up the ‘red’ category, or those which are ‘almost certainly illegal’, which the report recommends should be ‘scrapped or substantially redesigned’. Database State notes that for this category, ‘the collection and sharing of sensitive personal data may be disproportionate, or done without our consent, or without a proper legal basis’.

‘Red’ databases include the high-profile national DNA database, the national identity register and ContactPoint, the controversial national index of all children in England. The latter aims to hold extensive biographical and contact information for every child and will keep a record of their relationship with public services.

‘Amber’ databases are those which, according to the study, have significant problems, and may be unlawful. Database State recommends that for these databases, depending on the circumstances, individuals may need the right to opt out. It has been suggested that an incoming government mandate ‘an independent assessment of each system to identify and prioritise necessary changes’. ‘Amber’ databases include the national pupil database and NHS summary care record.

The report marks the remaining databases as ‘green’, maintaining that they are ‘broadly in line with the law’ stating that:

‘Its privacy intrusions (if any) have a proper legal basis and are proportionate and necessary in a democratic society. Some of these databases have operational problems, not least due to the recent cavalier attitude toward both privacy and operational security, but these could be fixed once transparency, accountability and proper risk management are restored.’

Green databases include the police national fingerprint database and the TV licensing database.

The report also suggests that Britain is ‘out of line’ with other developed countries, where sensitive information is held locally.

The government has received extensive criticism on the abundance of databases from opposing ministers. Conservative MP Eleanor Laing stated that the government must adopt a “principled, proportionate, less-centralised approach to collecting personal information”, while Chris Huhne of the Liberal Democrats commented that "In their desperation to track our every move, ministers have created a glut of databases, many of which are quite simply illegal".

Phil Bridge, managing director of data recovery provider Kroll Ontrack UK commented: “The public sector’s approach to databases is failing to address important compliance considerations at each step of the process.

“Compliance with human rights and data protection laws must be at the forefront of every IT project from the start. The projects highlighted in the report have received the red light too far into their implementation, wasting billions of pounds of public money. Granted, investing more time in the planning stage and regularly cross-checking an implementation strategy with legislation and policy may lengthen the period until completion. However, this investment would ultimately increase the likelihood of a project’s successful delivery, the rate of which currently stands at an alarming 30%.”

Bridge continues: “Compliance must also remain a key consideration for the projects that have received the green light. With high volumes of sensitive personal data on file, the storage and archiving of this data has to comply with data protection laws, and must facilitate Freedom of Information requests. Information sharing across departments is under scrutiny, so once a database is established, the public sector must check that back-ups are working before being sent to storage. It is only then that the public sector can guarantee end-to-end compliance.”

According to Database State, two-thirds of the population no longer trust the government with their personal data.

What’s Hot on Infosecurity Magazine?