U.K. government data handling practices stir privacy fears

Researcher Tom Ilube says that a failure to implement controls has put the accuracy and integrity of U.K. government databases into question.

Greater integration of U.K. government databases will cause serious problems for British citizens unless better processes are put in place to eliminate false information, an expert has warned.

Referencing research into data handling at 30 government departments earlier this year, Tom Ilube, CEO of online identity manager Garlik Ltd., says that government plans for connecting various large databases will make it even harder to keep data accurate and up to date.

As SearchSecurity.co.uk reported last month, a survey of 30 major government departments revealed that none of the agencies was able to guarantee the accuracy of information held about individuals.

Data will be able to move fast around government, and it will be hard to get on top of it...Any of those departments should be working hard to get their act together now.
Tom Ilube
CEOGarlik Ltd.
Furthermore, the Home Office is still citing "public interest concerns" to avoid revealing whether it has basic processes in place to correct any inaccurate personal information it holds on British citizens. Such a lack of procedure would breach the Data Protection Act.

Ilube said the research was prompted by concerns over the growth of public sector databases.

He described one case that put the problem into focus: "A member of the public came to us. He had been involved in an employment case which had gone against him because of incorrect information held by the NHS. He only discovered this later on, and was unable to get it corrected and was unable to get the judgment reversed as a result."

Ilube decided to see for himself how well different departments of government handled data and how well they kept it updated. He submitted questions under the Freedom of Information Act asking how they went about correcting data they found to be inaccurate.

"Personal information is volatile. A fair amount of effort needs to go into keeping it accurate and up to date," he said. "It is all very well saying you have a policy, but we wanted to test if they actually put resources into it. That tells you if the principle is translated into practice."

Ilube confessed that he was surprised when the results came back. "I have to say I thought the pattern would be more varied."

No department had a written data correction policy or protocol. Only two departments (Office of Public Sector Information and Ofsted) had any written data correction policy, and only Ofsted and the Driver and Vehicle Licensing Agency conducted independent audits for Data Protection Act compliance. No department allocated funds for correcting information, or kept any statistics about erroneous data correction.

Although legislation is likely to be passed soon to allow the Information Commissioner to carry out spot-checks in government departments, no such right currently exists.

For more information

Learn more about the recent research that uncovered a lack of basic privacy controls in the public sector.
Ilube said the results show a failure on behalf of government to take the problem seriously. "If you don't keep any statistical information and have no process and procedures to keep information up to date, then you cannot ensure accuracy," he said. "It's got to tell you something about the attitude to personal information in some of these organisations."

So far Ilube has had no government response to his research. In addition, the Home Office has still not supplied any information despite regular requests from the Garlik CEO.

Ilube said he will go back to all 30 departments with a copy of the responses and make some specific suggestions they could consider. He will also warn them that he plans to repeat the exercise in a year to see if changes are made.

There are no independent audits at the moment in government departments to ensure compliance with the Data Protection Act, according to Ilube, and there ought to be. "You get more executive attention when there is an audit coming. If the audit reports weaknesses, then it brings them into focus."

"Any competent auditor will look at accuracy. And one of the first questions they will ask is for a copy of the processes and procedures in order to assess whether they are appropriate. If the organisation says they don't have any, then it would be a pretty short audit."

The situation needs to be rectified soon, before more connections are made between major government databases, possibly including the National Identity Database, NHS databases, ContactPoint (a directory of children at risk) and other travel databases, Ilube said.

"If you join them up, any problems today will be magnified. Data will be able to move fast around government, and it will be hard to get on top of it. The scale of the challenge then will be even larger. Any of those departments should be working hard to get their act together now."

He is not optimistic that improvements will be made. Despite some big breaches of security within government, and the well-publicised Data Handling Review of the Cabinet Office, Ilube says attitudes remain unchanged.

"You don't get the impression that the mindset has shifted," he said. "Where a senior executive is accountable, then things tend to get done. Government departments have not begun to deal with the accountability issue. You need someone senior in an organisation who is responsible for personal information, and who can protect it against those in the organisation who have a different agenda."

To illustrate the nature of the problem, he cites another example of a very senior businessman -- "a captain of industry" -- who recently took over the helm of a large U.K. corporation. A routine HR check with the Criminal Records Bureau turned up a potentially embarrassing situation: someone of the same name had been convicted of grievous bodily harm in Scotland, and the police database pointed the finger of blame at him.

A discreet conversation with the individual was enough to show he was innocent, that there was an error in the CRB database, and the appointment went ahead. "With his resources, reputation and lawyers, it was an almost laughable incident," Ilube said. "There was much banter in the boardroom. But you can imagine that other people in more junior positions would just have got a rejection letter without explanation. That is what we are trying to avoid."

Read more on Application security and coding requirements