Feeds

Children's rights group threatens ICO with judicial review

Action over inaction against Youth Justice Board

The Power of One Brief: Top reasons to choose HP BladeSystem

Children's Rights Group ARCH has threatened to take the Information Commissioner to a judicial review after the data regulator declined to take enforcement action the Youth Justice Board for unlawfully collecting and distributing data.

According to Terri Dowty, Director of ARCH, the Youth Justice Board (YJB) is continuing to process data without consent, in a manner that is possibly discriminatory and even dangerous to the individuals concerned.

However, despite an admission by the Information Commissioner that his office may have misunderstood what the YJB was doing with its data, and an undertaking to investigate the matter further, no enforcement action has yet been taken.

A note from the ICO to ARCH suggests that its reluctance to take such action is primarily because the ICO initially got the law wrong, and since the YJB has been operating unlawfully for a year with its blessing, it would be wrong to intervene in haste now.

Just over a year ago, ARCH raised concerns over the way in which the YJB was collecting and storing data on young people.

Historically, the YJB has collected aggregated data on a quarterly basis from 157 local Youth Offending Teams (YOTs). Until July 2009, the medium for data collection had been "Themis", an electronic data collection system provided to YOTs as a standalone programme: data was used to provide statistics and reports and to answer parliamentary questions.

In 2009, this changed, as the YJB commissioned YJMIS. Under this system, client-level data is taken directly from YOT systems via software extensions commissioned from existing system suppliers. The data is notionally divided into "mandatory" and "discretionary" items although, according to ARCH, the software tool automatically copies all data, anyway. Nor is it clear where or at what point each YOT obtains the data subject’s consent to share "discretionary" data.

At issue is the fact that YJMIS uploads all data on individual clients, field for field, without aggregation, including ethnicity, date of birth, gender and where available postcode sector - that is, the first half of the postcode (outbound) plus the first digit of the second half.

According to the YJB, this was not personal information, as it did not uniquely identify an individual: however, as ARCH pointed out, and the ICO subsequently accepted, the above data is more than enough to identify an individual – particularly in rural areas.

ARCH specifically drew the attention of the Information Commissioner to a 2008 House of Lords ruling that data is personal where "if, taken together with the 'other information', they enable a living individual to whom the data relate to be identified".

YJB further claimed that the postcode information was discretionary, despite the fact that Careworks RAISE - one of the two systems used by local YOTs for data collection – does not allow YOTS to opt out of supplying sector postcode data.

These concerns were all put to the ICO by ARCH back in July 2009 – and the ICO first declared the YJB had no case to answer, then stopped responding to correspondence altogether. It was not until ARCH combined forces with other concerned organisations, including Genewatch UK, Privacy International and the Open Rights Group and wrote directly to Information Commissioner Chris Graham in June of this year that he responded, apologising for his organisation’s earlier failure to act and blaming "oversight".

He wrote: "Management information systems should not need to identify individuals and we therefore need to discuss your concerns about the system with the YJB urgently."

In July, a representative of the ICO met with the YJB, which finally accepted that the data being uploaded was personal data, and that it was legally responsible (ie, the data controller) for the information they hold. They promised that they would "review" the issue.

ARCH then wrote to the ICO asking it to use its s40(8) powers to take enforcement action, "given the flagrant nature of the breach and its potential for grave prejudice".

ARCH added: "A failure to take enforcement action would amount to a clear failure to regulate."

So far the ICO has declined to act, citing its own previous incorrect advice, and claiming that "the staff who have access are contractually obliged not to misuse information to which they have access". So that’s OK.

A spokeswoman for the YJB told us: "In response to the new opinion the YJB is working closely with the ICO to determine what steps are required to resolve this situation. The YJB is also seeking authoritative information assurance advice from a CESG CLAS (CESG Listed Adviser Scheme) consultant, which we will share with the ICO to determine next steps.

"It is important to note the ICO has not made any suggestion the YJB is processing personal data through the Youth Justice MIS unfairly."

A spokesperson for the Information commissioner’s Office (ICO) said: “The ICO has found that the Youth Justice Management Information System holds personal information, which could in some circumstances lead to the identification of an individual... We are currently working with the Youth Justice Board on a complete review of their management information system to ensure any information collected and held is done so in compliance with the Data Protection Act."

It added, "Having taken into account all the circumstances we do not believe that the immediate suspension of this database is a necessary course of action at this time. We will continue to work closely with the organisation throughout the review to ensure the privacy of individuals remains of utmost priority.” ®

Designing a Defense for Mobile Applications

More from The Register

next story
Arrr: Freetard-bothering Digital Economy Act tied up, thrown in the hold
Ministry of Fun confirms: Yes, we're busy doing nothing
ONE EMAIL costs mining company $300 MEEELION
Environmental activist walks free after hoax sent share price over a cliff
'Blow it up': Plods pop round for chat with Commonwealth Games tweeter
You'd better not be talking about the council's housing plans
Help yourself to anyone's photos FOR FREE, suggests UK.gov
Copyright law reforms will keep m'learned friends busy
Apple smacked with privacy sueball over Location Services
Class action launched on behalf of 100 million iPhone owners
UK government officially adopts Open Document Format
Microsoft insurgency fails, earns snarky remark from UK digital services head
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.