In an excoriating indictment of the UK government’s data handling practices, a report published in March 2009 claimed that one-in-four public sector databases is illegal and “should be scrapped or substantially redesigned”.
The Database State report was backed by the Joseph Rowntree Reform Trust, a liberal advocacy group established in 1904. Its argument hinged on comparing the data handling, storage and sharing practices of 48 government databases against not only the Data Protection Act (DPA), but also the European Convention on Human Rights (ECHR).
The ECHR asserts that citizens’ data may only be stored if they grant their consent. The report’s authors argue, therefore, that databases containing information about children are questionable, as children are not old enough to grant legal consent. They add that citizens cannot be said to have given proper consent if the purposes of a database are ill-defined or change over time.
By introducing a human rights element to data handling practices, the report’s arguments may have ramifications for businesses.
Only public sector organisations are subject to human rights law. “The traditional approach is that human rights are ‘things the state must not do’,” says Ross Anderson, chairman of the Foundation for Information Policy Research and lead author of the report.
“Therefore, although private companies may have intrusive data collections, you can’t use ECHR against them, just the Data Protection Directive and the national laws that transpose it,” he explains. “In the UK, these are weak.”
But for one thing, private sector organisations are increasingly involved in managing public sector databases.
“The NHS Secondary Uses Service database, for example, is run by BT and it clearly contravenes ‘I v Finland’ [a landmark ruling on the human rights implications of handling patient data],” says Anderson. “So it’s going to have to be redesigned.”
Andrew Sharpe of the law firm Charles Russell argues that the DPA involves sufficient human rights protection. He asserts: “Where processing is carried out without the consent of the individual, then the condition that is often relied upon by database owners is one that permits processing for legitimate business purposes ‘except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject,’ this clearly introduces a human rights test.”
But the Database State report argues that in meeting the requirements of the DPA, the government has insufficiently protected the rights of UK citizens. This is perhaps the beginning of a case for tightening the DPA.