Feeds

Gaping 'open data' loophole could leave your privates on display

Gov's white paper calls open season on enforced subject access*

Providing a secure and efficient Helpdesk

Comment The government has just published its ideas for allowing general access to data, which includes the intention to grant individuals online access to their own personal data. In general, I support this measure but sadly, the Open Data White Paper (PDF) has not even considered that it has widened the privacy problems associated with “enforced subject access”*.

In the white paper, the government states that it wants to make personal data available to the data subject by a secure portal. Indeed it intends to give NHS patients access to their own health records before the end of the Parliament (if the coalition lasts that long). This is, I suspect, the quid pro quo for the fact that the government wants wider use of medical records for research purposes (see here, where I show that the Data Protection Regulation has been changed at the UK government request's to support this move).

To illustrate the problems of online access to medical records, consider the following conversation:

Interviewer: ”Hello John. Thanks for coming to this job interview. Before we start, you have access to your medical records online. As you know, we want to make sure that you have all the hallmarks of a cooperative employee. I wonder whether you would allow us to look at your last five GP visits.”

John: “Well I am not sure of this. Doesn’t it breach the Data Protection Act?”

Interviewer: “No John, it doesn’t, and we are surprised that a cooperative individual like you could think so. All the protection you get from the Data Protection Act is unaffected. The first thing to say is that we would have your consent to your sharing your own personal details with us. 'Share' is a nice word isn’t it? Indeed we encourage all our employees to consent and share their details with us in this way on a regular basis.

“In addition, we are not going to record anything from your files in our databases. We are just going to look at your personal data. Because this information is not copied from your files to ours, we don’t have any 'data' and because of that, we don’t have any personal data. All we are doing is 'looking' but not 'recording'.

“In theory, because we don’t have personal data we don’t have to apply the act's principles. This means we don’t have to tell you what we're looking for or why, we can make use of irrelevant details in the file, and of course, if there are inaccuracies in your file, we can just accept them as being the truth. This process is very secure: after all, we can’t lose what we don’t have. But don’t worry about all these issues. Because we rely on consent, we think we are a very ethical company."

John: “Well that is reassuring. I will just log on to my GP by the secure portal.”

Interviewer: “Please give me time to look away – I don’t want to see your password, do I? This is an example of our ethics in action!

Interviewer (after inspecting health records): ”Oh. I forgot to ask. The job you are going for involves access to financial information. Do you, by chance have access to an online banking account?”

In summary, the white paper has ignored the obvious problem of individuals having to consent to access by others for whatever reason. Let us hope it is fixed before that portal is ever opened.

* The enforced subject access loophole

Enforced subject access is the technique used by employers to obtain copies of criminal record data about employees or prospective employees when they don’t have legal authority to obtain these details from the Criminal Record Bureau (CRB). Under section 56 of the Data Protection Act, the enforced subject access procedure is an offence.

However, the offence is dependent on the CRB being able to provide a “basic check” (or a “criminal conviction certificate” to use the Police Act 1997 terminology) to applicants (usually the data subject). For whatever reasons, the CRB have been unable to deliver this service.

Section 75(3) of the Data Protection Act states that section 56 (i.e. the enforced subject access offence) does not come into effect until the “criminal conviction certificate”, the “criminal record certificates” and the “enhanced criminal record certificates” are all available. As the CRB only provide the two criminal record certificates (ie they do not provide the “criminal conviction certificate”), the offence has never been commenced...

Government has refused to change this law. Statutory protection has thus been removed from data subjects for 15 years. For more on enforced subject access, see references below.

References

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Beginner's guide to SSL certificates

More from The Register

next story
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Arab States make play for greater government control of the internet
Nerds told to get lost in last-minute power grab bid at UN meeting
Zippy one-liners, broken promises: Doctor Who on the Orient Express
Series finally hits stride, but Clara's U-turn is baffling
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
Apple SILENCES Bose, YANKS headphones from stores
The, er, Beats go on after noise-cancelling spat
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.