The government must bring in changes to better protect personal information, calls the Equality and Human Rights Commission (EHRC).
Current privacy law is failing to stop breaches of personal data privacy and is not keeping pace with the rapid growth in personal data collection, according to a report from the commission.
The way the government and its agencies collect, use and store personal data is deeply flawed, says the report. But due to the complexity of the legal framework they may be unaware that they are breaking the law.
Geraldine Van Bueren, a commissioner for EHRC, warned the state is holding increasing amounts of information about people without their knowledge or being able to check that it's accuracy.
"This needs to change so that any need for personal information has to be clearly justified by the organisation that wants it. The law and regulatory framework needs to be simplified and in the meantime public authorities need to check what data they have and that it complies with the existing laws," she said.
Breaches of privacy are likely to get worse in the future as demand for personal information increases and as new technology is developed for collecting, storing and sharing that data that are not covered by existing legislation or regulations, says EHRC.
Any requirement to use personal data for any purpose other than for which it was collected should go through a vetting process, says the body.
In November 2007 HMRC notoriously lost a computer disc containing the child benefit records of more than 25 million people. The following month the government lost details of some three million UK learner drivers.
In response to the report's findings, the Commission is making three recommendations to government:
• streamline the current legislation on information privacy so that it is easier for organisations to understand their responsibilities and simpler for citizens to know and use their rights.
• ensure that public bodies and others have to properly justify why they need someone's personal data and for what purpose. Organisations should ensure they comply with the current data protection and RIPA regimes, in addition to the Human Rights Act.
• all public bodies should carefully consider the impact on information privacy of any new policy or practice and ensure that all requests for personal data are justified and proportionate.