Government departments breach Data Protection Act principles

Recent research uncovers a lack of basic privacy controls in the public sector.

Government departments are still failing to implement basic security procedures and are in breach of the Data Protection Act, according to new data discovered under the Freedom of Information Act.

Despite repeated instances of information breaches, and a wide-ranging review by the Cabinet Office of data handling by government, nearly all government departments have failed to put in place basic data protection and error correction policies.

The research was carried out by the Garlik consultancy, which put 30 Freedom of Information (FoI) requests into all major government departments between September and November last year, to see if they had procedures and resources in place to ensure the accuracy of the data they kept. The fourth principle of The Data Protection Act states that "Personal data shall be accurate and, where necessary, kept up to date" but no department was able to show that it was compliant with this simple requirement.

Data loss disasters

If you lose a laptop or USB stick that contains sensitive employee data, do you have a recovery plan?
"The government's complacent attitude towards managing and correcting our personal data is all the more shocking in the light of the 176 public data losses that have occurred this year alone," Tom Ilube, CEO of Garlik said in a statement. "What people really care about is that if the government holds your personal data, it is accurate and well looked after. A typical public database can have error rates approaching 10%, meaning that a single large government database could possess erroneous data on several million individuals."

Alan Calder, chief executive of IT Governance Ltd, a consultancy specialising in regulatory compliance, was scathing about the results. "There is an egregious absence of data protection compliance in the whole of central government," he said. "Imagine what would happen in the private sector if the management team ignored instructions to stop breaking the law."

He said it would take little effort or resources to build in the right sort of corrective mechanisms. "It's not very hard to have a data correction policy. It just requires the will to do it, and this is evidence that there is no will across government and the public sector."

The news emerged at the same time as the government announced the launch of the new ContactPoint system, which is a data-sharing protection service that will allow police, medical staff and social workers to see details of up to 11 million children. Announcing the first stage of the project, Children's Minister Ed Balls said: "It is a vital tool to help keep children safe because it is absolutely crucial the right agencies are involved at the right time and get even better at sharing information."

He said basic personal details of children would be held, but not details of any cases. "We have put in place comprehensive arrangements to prevent inappropriate access to the information on the system and ongoing security will remain a priority," he said.

Data that Garlik Ltd. received from its Freedom of Information enquiries
Government Agency Written data correction policy or protocol? Conduct independent audits demonstrating DPA compliance? Have funds specifically allocated/record of funds re: correction of erroneous data? Hold statistical data regarding erroneous data corrections?
Attorney General NO NO NO NO
Business Enterprise & Regulatory Reform NO NO NO NO
Cabinet Office (& No 10) NO NO NO NO
Children, Schools & Families NO NO NO NO
Communities & Local Government NO NO NO NO
Crown Prosecution Service NO NO NO NO
Culture, Media & Sport NO NO NO NO
Department of Health NO NO NO NO
Driver and Vehicle Licensing Agency NO YES NO NO
Environment, Food & Rural Affairs NO NO NO NO
Foreign & Commonwealth Office NO NO NO NO
Home Office & associated departments Delayed response due to public interest concerns Delayed response due to public interest concerns Delayed response due to public interest concerns Delayed response due to public interest concerns
Innovation, Universities & Skills NO NO NO NO
International Development NO NO NO NO
Independent Police Complaints Commission NO NO NO NO
Ministry of Justice NO NO NO NO
Ministry of Defence NO NO NO NO
National Audit Office NO NO NO NO
NHS Connecting for Health NO NO NO NO
Northern Ireland Office NO NO NO NO
Office of Public Sector Information YES NO NO NO
Scotland Office
Stated they fall under the Ministry of Justice
Serious Fraud Office NO NO NO NO
Transport NO YES NO NO
Treasury NO NO NO NO
Treasury Solicitors NO NO NO NO
Wales Office NO NO NO NO
Work & Pensions NO NO NO NO

Read more on Privacy and data protection