Feeds

Does the RSPCA have your gun licence or car registration? NOBODY knows

When are cops not subject to FOI? When they're animal cops

Internet Security Threat Report 2014

No checks are carried out on what the Royal Society for Prevention of Cruelty to Animals (RSPCA) does with confidential records it receives from police databases, including information on people's vehicles and gun licences, the Register has learned.

Precise details of the Information Sharing Agreements (ISAs) between the RSCPA and police forces are now coming to light, thanks to FOI requests.

The charity's ISA with Cumbria Police (PDF, 6.8MB) allows them to request access to vehicle information - and specifically includes "information held on the National Firearms Licensing Management System" (page 7).

The ISA with Hertfordshire Police (PDF, 3.4MB) says the same thing: vehicle information may be shared on request, and there is no exclusion for sensitive firearms data.

No other private organisation enjoys similar privileges of being able to request access to the Police National Computer (PNC). ACPO disclosed a list of organisations who can request access to the PNC after The Register broke the story of how RSPCA workers were accessing individuals' criminal records. The other "non-police prosecuting agencies" are all arms of government such as the Civil Aviation Authority, Ofcom, the Environment Agency etc. The RSPCA, by contrast, uses its charity money to bring private prosecutions against those it deems guilty of cruelty to animals (so saving the police and other government agencies a lot of time and money, which probably explains the unique level of access they offer it).

The vehicle and firearms databases are separate systems that feed into the PNC. Licensing info for firearms and shotguns is held on the National Firearms Licensing Management System, or NFLMS. The British Association for Shooting and Conservation believes at least 10 police forces have ISAs with the RSPCA – but have not yet disclosed them.

Details held on the NFLMS include firearms owners' addresses, details of the firearms and ammunition they hold (including the precise purposes for which some firearms may be used – for example, hunting over a defined area of land, along with the landowner's details), and, in some cases details of security arrangements protecting the firearms from unauthorised access. The police generally discourage firearm owners from disclosing such details themselves, except on a need-to-know basis.

Under the ISAs the RSPCA promises to dispose of the information when it is no longer needed: "In most cases, it is expected that information shared with the RSPCA will therefore be destroyed within a maximum timeline [sic] of 6 years."

But there's simply no way of knowing whether this is true.

The police do not undertake audits of the data once it leaves their control, as recommended by Lord Leveson. The Home Office confirmed it was not aware (PDF) of the legal status of the arrangement. The Information Commissioner has not been challenged on the legal basis of the arrangement, either.

For its part, the RSPCA can legally tell members of the public who make FOI requests to get stuffed – as it's not a public authority under the terms of the Freedom of Information Act, like the police and the other non-police enforcement agencies. An individual suspecting that the RSPCA had files on him or her could make a subject access request under the Data Protection Act - but organisations are exempt from compliance with this process if data is held for the purpose of "the capture or prosecution of offenders". ACPO claims that the RSPCA only gets access to police data when it intends to prosecute someone, so this exemption would no doubt be generally claimed.

And since nobody is auditing the RSPCA's databases, and they're not subject to any legal disclosure routes, there's no telling what information they have and what they do with it.

Civil liberties campaign group Big Brother Watch plans to file a complaint with the ICO demanding it order third-party access to the police databases to cease, and requesting an investigation into the legal basis of the arrangements. ®

Beginner's guide to SSL certificates

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.