Feeds

Children's rights group threatens ICO with judicial review

Action over inaction against Youth Justice Board

High performance access to file storage

Children's Rights Group ARCH has threatened to take the Information Commissioner to a judicial review after the data regulator declined to take enforcement action the Youth Justice Board for unlawfully collecting and distributing data.

According to Terri Dowty, Director of ARCH, the Youth Justice Board (YJB) is continuing to process data without consent, in a manner that is possibly discriminatory and even dangerous to the individuals concerned.

However, despite an admission by the Information Commissioner that his office may have misunderstood what the YJB was doing with its data, and an undertaking to investigate the matter further, no enforcement action has yet been taken.

A note from the ICO to ARCH suggests that its reluctance to take such action is primarily because the ICO initially got the law wrong, and since the YJB has been operating unlawfully for a year with its blessing, it would be wrong to intervene in haste now.

Just over a year ago, ARCH raised concerns over the way in which the YJB was collecting and storing data on young people.

Historically, the YJB has collected aggregated data on a quarterly basis from 157 local Youth Offending Teams (YOTs). Until July 2009, the medium for data collection had been "Themis", an electronic data collection system provided to YOTs as a standalone programme: data was used to provide statistics and reports and to answer parliamentary questions.

In 2009, this changed, as the YJB commissioned YJMIS. Under this system, client-level data is taken directly from YOT systems via software extensions commissioned from existing system suppliers. The data is notionally divided into "mandatory" and "discretionary" items although, according to ARCH, the software tool automatically copies all data, anyway. Nor is it clear where or at what point each YOT obtains the data subject’s consent to share "discretionary" data.

At issue is the fact that YJMIS uploads all data on individual clients, field for field, without aggregation, including ethnicity, date of birth, gender and where available postcode sector - that is, the first half of the postcode (outbound) plus the first digit of the second half.

According to the YJB, this was not personal information, as it did not uniquely identify an individual: however, as ARCH pointed out, and the ICO subsequently accepted, the above data is more than enough to identify an individual – particularly in rural areas.

ARCH specifically drew the attention of the Information Commissioner to a 2008 House of Lords ruling that data is personal where "if, taken together with the 'other information', they enable a living individual to whom the data relate to be identified".

YJB further claimed that the postcode information was discretionary, despite the fact that Careworks RAISE - one of the two systems used by local YOTs for data collection – does not allow YOTS to opt out of supplying sector postcode data.

These concerns were all put to the ICO by ARCH back in July 2009 – and the ICO first declared the YJB had no case to answer, then stopped responding to correspondence altogether. It was not until ARCH combined forces with other concerned organisations, including Genewatch UK, Privacy International and the Open Rights Group and wrote directly to Information Commissioner Chris Graham in June of this year that he responded, apologising for his organisation’s earlier failure to act and blaming "oversight".

He wrote: "Management information systems should not need to identify individuals and we therefore need to discuss your concerns about the system with the YJB urgently."

In July, a representative of the ICO met with the YJB, which finally accepted that the data being uploaded was personal data, and that it was legally responsible (ie, the data controller) for the information they hold. They promised that they would "review" the issue.

ARCH then wrote to the ICO asking it to use its s40(8) powers to take enforcement action, "given the flagrant nature of the breach and its potential for grave prejudice".

ARCH added: "A failure to take enforcement action would amount to a clear failure to regulate."

So far the ICO has declined to act, citing its own previous incorrect advice, and claiming that "the staff who have access are contractually obliged not to misuse information to which they have access". So that’s OK.

A spokeswoman for the YJB told us: "In response to the new opinion the YJB is working closely with the ICO to determine what steps are required to resolve this situation. The YJB is also seeking authoritative information assurance advice from a CESG CLAS (CESG Listed Adviser Scheme) consultant, which we will share with the ICO to determine next steps.

"It is important to note the ICO has not made any suggestion the YJB is processing personal data through the Youth Justice MIS unfairly."

A spokesperson for the Information commissioner’s Office (ICO) said: “The ICO has found that the Youth Justice Management Information System holds personal information, which could in some circumstances lead to the identification of an individual... We are currently working with the Youth Justice Board on a complete review of their management information system to ensure any information collected and held is done so in compliance with the Data Protection Act."

It added, "Having taken into account all the circumstances we do not believe that the immediate suspension of this database is a necessary course of action at this time. We will continue to work closely with the organisation throughout the review to ensure the privacy of individuals remains of utmost priority.” ®

3 Big data security analytics techniques

More from The Register

next story
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Whoever you vote for, Google gets in
Report uncovers giant octopus squid of lobbying influence
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.