Feeds

Children's rights group threatens ICO with judicial review

Action over inaction against Youth Justice Board

Providing a secure and efficient Helpdesk

Children's Rights Group ARCH has threatened to take the Information Commissioner to a judicial review after the data regulator declined to take enforcement action the Youth Justice Board for unlawfully collecting and distributing data.

According to Terri Dowty, Director of ARCH, the Youth Justice Board (YJB) is continuing to process data without consent, in a manner that is possibly discriminatory and even dangerous to the individuals concerned.

However, despite an admission by the Information Commissioner that his office may have misunderstood what the YJB was doing with its data, and an undertaking to investigate the matter further, no enforcement action has yet been taken.

A note from the ICO to ARCH suggests that its reluctance to take such action is primarily because the ICO initially got the law wrong, and since the YJB has been operating unlawfully for a year with its blessing, it would be wrong to intervene in haste now.

Just over a year ago, ARCH raised concerns over the way in which the YJB was collecting and storing data on young people.

Historically, the YJB has collected aggregated data on a quarterly basis from 157 local Youth Offending Teams (YOTs). Until July 2009, the medium for data collection had been "Themis", an electronic data collection system provided to YOTs as a standalone programme: data was used to provide statistics and reports and to answer parliamentary questions.

In 2009, this changed, as the YJB commissioned YJMIS. Under this system, client-level data is taken directly from YOT systems via software extensions commissioned from existing system suppliers. The data is notionally divided into "mandatory" and "discretionary" items although, according to ARCH, the software tool automatically copies all data, anyway. Nor is it clear where or at what point each YOT obtains the data subject’s consent to share "discretionary" data.

At issue is the fact that YJMIS uploads all data on individual clients, field for field, without aggregation, including ethnicity, date of birth, gender and where available postcode sector - that is, the first half of the postcode (outbound) plus the first digit of the second half.

According to the YJB, this was not personal information, as it did not uniquely identify an individual: however, as ARCH pointed out, and the ICO subsequently accepted, the above data is more than enough to identify an individual – particularly in rural areas.

ARCH specifically drew the attention of the Information Commissioner to a 2008 House of Lords ruling that data is personal where "if, taken together with the 'other information', they enable a living individual to whom the data relate to be identified".

YJB further claimed that the postcode information was discretionary, despite the fact that Careworks RAISE - one of the two systems used by local YOTs for data collection – does not allow YOTS to opt out of supplying sector postcode data.

These concerns were all put to the ICO by ARCH back in July 2009 – and the ICO first declared the YJB had no case to answer, then stopped responding to correspondence altogether. It was not until ARCH combined forces with other concerned organisations, including Genewatch UK, Privacy International and the Open Rights Group and wrote directly to Information Commissioner Chris Graham in June of this year that he responded, apologising for his organisation’s earlier failure to act and blaming "oversight".

He wrote: "Management information systems should not need to identify individuals and we therefore need to discuss your concerns about the system with the YJB urgently."

In July, a representative of the ICO met with the YJB, which finally accepted that the data being uploaded was personal data, and that it was legally responsible (ie, the data controller) for the information they hold. They promised that they would "review" the issue.

ARCH then wrote to the ICO asking it to use its s40(8) powers to take enforcement action, "given the flagrant nature of the breach and its potential for grave prejudice".

ARCH added: "A failure to take enforcement action would amount to a clear failure to regulate."

So far the ICO has declined to act, citing its own previous incorrect advice, and claiming that "the staff who have access are contractually obliged not to misuse information to which they have access". So that’s OK.

A spokeswoman for the YJB told us: "In response to the new opinion the YJB is working closely with the ICO to determine what steps are required to resolve this situation. The YJB is also seeking authoritative information assurance advice from a CESG CLAS (CESG Listed Adviser Scheme) consultant, which we will share with the ICO to determine next steps.

"It is important to note the ICO has not made any suggestion the YJB is processing personal data through the Youth Justice MIS unfairly."

A spokesperson for the Information commissioner’s Office (ICO) said: “The ICO has found that the Youth Justice Management Information System holds personal information, which could in some circumstances lead to the identification of an individual... We are currently working with the Youth Justice Board on a complete review of their management information system to ensure any information collected and held is done so in compliance with the Data Protection Act."

It added, "Having taken into account all the circumstances we do not believe that the immediate suspension of this database is a necessary course of action at this time. We will continue to work closely with the organisation throughout the review to ensure the privacy of individuals remains of utmost priority.” ®

Beginner's guide to SSL certificates

More from The Register

next story
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Arab States make play for greater government control of the internet
Nerds told to get lost in last-minute power grab bid at UN meeting
Zippy one-liners, broken promises: Doctor Who on the Orient Express
Series finally hits stride, but Clara's U-turn is baffling
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
Apple SILENCES Bose, YANKS headphones from stores
The, er, Beats go on after noise-cancelling spat
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.