1m French out of work thanks to dodgy data - UK next?
Get vetted and go... on the dole
As the UK prepares to put in place its shiny new vetting database later this year, analysis of a similar project in France reveals a devastating degree of inaccuracy, leading to real hardship for a very large number of people.
A report (pdf) issued last week by CNIL, the French Data Protection Agency, reveals that as many as a million people have lost jobs – or didn’t get them in the first place – because of inaccuracies in the police STIC database (Systeme de Traitement des Infractions constatés, or "criminal record check system").
Police databases have been very much in the news in the course of 2008, following the creation, by decrees published on 1 July 2008, of two new intelligence databases, EDVIGE and CRISTINA.
The purpose of CRISTINA (Centralisation du renseignement intérieur pour la sécurité du territoire et les intérêts nationaux) is the "Centralisation of domestic intelligence for homeland security and national interests". Because CRISTINA is classified as being for defence purposes, its contents are deemed to be an official secret and details of what is held on it remain a mystery.
But that's not the case with EDVIGE, which provoked such outcry that the government backed down in November 2008, agreeing instead to bring forward proposals for a modified system, known as EDVIRSP.
Objectors to EDVIGE were horrified to learn that it would have gathered information on any person having applied for or exercised a "political, union or economical mandate or playing a significant institutional, economical, social or religious part as well as information on any person, starting from the age of 13, considered by the police as a "suspect" potentially capable of disrupting the public order".
Opposition was swift and brutal, with thousands of people demonstrating in over 60 cities. Faced with petitions and up to a dozen separate legal challenges, the French government decided to cut its losses and back down. While detail of what will be held in EDVIRSP is still not known, it is believed that it will specifically exclude information relating to people’s health or sexual orientation.
But what then of STIC? The CNIL report reveals that STIC, created in 1995, but only officially acknowledged since 2001, is accessed by the police approximately 20m times a year. That alone represents a massive degree of surveillance and checking.
However, CNIL's President described STIC as "more dangerous than EDVIGE", because of the huge number of errors that CNIL has discovered recorded in it.
STIC now covers approximately half of the French population – without any age limitation. In this one detail, our own vetting database compares favourably, as current estimates suggest that, in time, it will hold data on no more than half the UK’s working population.
In other respects, serious issues over the provenance of data illustrate all too clearly what happens when the government starts to collect data on its citizens without putting adequate measures in place for updating and accuracy checking.
Thus, the police may register individual details on STIC after an offence has been committed. Registration should include not only suspect details, but those of the victim as well, and the records should be updated with the outcome of any court decision. "Innocent until proven guilty" works under French Law as well.
Unfortunately, CNIL report that not only are updates very seldom applied – but that on occasion victims are mistakenly registered as suspects. Overall, CNIL identified an error rate of 83 per cent on STIC records: not all errors were as serious as those suggested above; some were. This is "staggering": it also has major social consequences, since – anticipating the UK’s own law on Safeguarding Vulnerable Groups 2006 by three years, the French passed a law in 2003 which extended the role of STIC to checking the (criminal) records of anyone applying for a wide range of jobs – especially in the security field. Sounds familiar?
CNIL’s estimated 1m hired or fired "by mistake" include victims recorded as criminals, and suspects whose not guilty verdict was never added to the database. The single comfort for French citizens lies in the fact that unlike our own vetting base, STIC inflicts its damage through the simple mechanism of mis-recording actual verifiable data.
It will be left to EDVIGE to implement the second feature of UK’s new checking system – which is to add in allegations and accusations, irrespective of the accuracy of either. ®
Sponsored: 2016 Cyberthreat defense report