WIREDGOV

The Equality and Human Rights Commission is today publishing a report that shows current privacy law is failing to stop breaches of personal data privacy and is not keeping pace with the rapid growth in personal data collection.

In response to the research findings the Commission wants the government to bring in changes that will better protect personal information.

The report shows that the way government and its agencies collect, use and store personal data is deeply flawed. They may be unaware that they are breaking the law as the complexity of the legal framework means their obligations are unclear.

It also finds that it is difficult for people to know what information is held on them, by which government agency or private sector body, or how it is being used. For example, as there is currently no law regulating the use of CCTV cameras it would be very difficult for someone to find which organisations hold footage of them.

It can be hard to check the accuracy of personal data held, to hold anyone to account for errors in the data or its misuse and to challenge decisions made about someone on the basis of that information. Calling any public or private organisation to account is made more difficult because people often may not know what their rights are or know when a breach of those rights has occurred.

Breaches of privacy are likely to get worse in the future as demand for personal information increases and as new technology is developed for collecting, storing and sharing that data that are not covered by existing legislation or regulations. Piecemeal reform of relevant laws, such as the proposals in the Protection of Freedoms Bill, although welcome, may not be sufficient to ensure people’s rights are protected.

Multiple breaches of personal data privacy – including the amount of information and how it is collected, loss of data, data being passed between agencies without permission and the use of surveillance – underline the pressing need for the state and others to reform how information about people is collected, used and stored.

One example of a breach of information privacy came to light in November 2007 when the Government revealed that HM Revenue and Customs had lost a computer disc containing the child benefit records of more than 25 million people. Less than a month later, the Government then disclosed that a computer hard drive had also gone missing in the United States, this time with the personal details of some three million UK learner drivers.

In response to the report’s findings, the Commission is making three recommendations to government:

• streamline the current legislation on information privacy so that it is easier for organisations to understand their responsibilities and simpler for citizens to know and use their rights.
• ensure that public bodies and others have to properly justify why they need someone’s personal data and for what purpose. Any requirement to use personal data for any purpose other than for which it was collected should go through a vetting process. Organisations should ensure they comply with the current data protection and RIPA regimes, in addition to the Human Rights Act.
• all public bodies should carefully consider the impact on information privacy of any new policy or practice and ensure that all requests for personal data are justified and proportionate.

Geraldine Van Bueren, a Commissioner for the Equality and Human Rights Commission said:

“It’s important that the government and its agencies have the information they need about us to do their job, for example to fight crime, or protect our health. However, the state is holding increasing amounts of information about our lives without us knowing, being able to check that it’s accurate or being able to challenge this effectively.

“This needs to change so that any need for personal information has to be clearly justified by the organisation that wants it. The law and regulatory framework needs to be simplified and in the meantime public authorities need to check what data they have and that it complies with the existing laws.”

For more press information contact the Commission’s media office on 020 3117 0255, out of hours 07767 272 818.

For general enquiries please contact the Commission’s national helpline: England 0845 604 6610, Scotland 0845 604 5510 or Wales 0845 604 8810.

Notes to editors

The research Protecting Information Privacy was carried out for the Equality and Human Rights Commission by Charles Raab (University of Edinburgh) and Benjamin Goold (University of British Columbia). The views in the report are those of the researchers, not expressly those of the Commission. The Commission is publishing the report as a contribution to the debate on information privacy.

Legislation and regulations that protect personal information privacy are set by parliament and specific Commissions, not by the Equality and Human Rights Commission. The Commission’s role as a regulator in this area is to encourage compliance with the right to privacy in relation to domestic and European law and international treaties. These include the Human Rights Act, the European Convention on Human Rights and orders made by the European Court of Human Rights.

Personal information privacy is covered by numerous laws including:

• Abortion Act 1967
• Access to Medical Reports Act 1988
• Anti-Terrorism, Crime and Security Act 2001
• Charities Act 1993
• Charter of Fundamental Rights of the European Union
• Child Support Act 1991
• Companies Act 2006
• Coroners and Justice Act 2009
• Crime and Disorder Act 1998
• Data Protection Act 1998
• Environmental Protection Act 1990
• EU Data Protection Directive1995
• Finance Act 1989
• Freedom of Information (Scotland) Act 2002
• Freedom of Information Act 2000
• Health and Safety at Work Act 1974
• Human Rights Act 1998
• Human Tissue Act 2004
• Intelligence Services Act 1984
• Local Government Act 1972
• Police Act 1997
• Regulation of Investigatory Powers Act 2000
• Regulation of Investigatory Powers (Scotland) Act 2000
• Social Security Administration Act 1992
• Taxes Management Act 1970

The regulators of these laws include:

• Equality and Human Rights Commission
• Independent Police Complaints Commission
• Information Commissioner’s Office
• Information Tribunal
• Intelligence Services Commissioner
• Interception Communications Commission
• Investigatory Powers Tribunal
• Office of the Surveillance Commissioner
• Scottish Information Commissioner