Original URL: https://www.theregister.co.uk/2010/09/06/arch_ico_yjb/
Children's rights group threatens ICO with judicial review
Action over inaction against Youth Justice Board
Children's Rights Group ARCH has threatened to take the Information Commissioner to a judicial review after the data regulator declined to take enforcement action the Youth Justice Board for unlawfully collecting and distributing data.
According to Terri Dowty, Director of ARCH, the Youth Justice Board (YJB) is continuing to process data without consent, in a manner that is possibly discriminatory and even dangerous to the individuals concerned.
However, despite an admission by the Information Commissioner that his office may have misunderstood what the YJB was doing with its data, and an undertaking to investigate the matter further, no enforcement action has yet been taken.
A note from the ICO to ARCH suggests that its reluctance to take such action is primarily because the ICO initially got the law wrong, and since the YJB has been operating unlawfully for a year with its blessing, it would be wrong to intervene in haste now.
Just over a year ago, ARCH raised concerns over the way in which the YJB was collecting and storing data on young people.
Historically, the YJB has collected aggregated data on a quarterly basis from 157 local Youth Offending Teams (YOTs). Until July 2009, the medium for data collection had been "Themis", an electronic data collection system provided to YOTs as a standalone programme: data was used to provide statistics and reports and to answer parliamentary questions.
In 2009, this changed, as the YJB commissioned YJMIS. Under this system, client-level data is taken directly from YOT systems via software extensions commissioned from existing system suppliers. The data is notionally divided into "mandatory" and "discretionary" items although, according to ARCH, the software tool automatically copies all data, anyway. Nor is it clear where or at what point each YOT obtains the data subject’s consent to share "discretionary" data.
At issue is the fact that YJMIS uploads all data on individual clients, field for field, without aggregation, including ethnicity, date of birth, gender and where available postcode sector - that is, the first half of the postcode (outbound) plus the first digit of the second half.
According to the YJB, this was not personal information, as it did not uniquely identify an individual: however, as ARCH pointed out, and the ICO subsequently accepted, the above data is more than enough to identify an individual – particularly in rural areas.
ARCH specifically drew the attention of the Information Commissioner to a 2008 House of Lords ruling that data is personal where "if, taken together with the 'other information', they enable a living individual to whom the data relate to be identified".
YJB further claimed that the postcode information was discretionary, despite the fact that Careworks RAISE - one of the two systems used by local YOTs for data collection – does not allow YOTS to opt out of supplying sector postcode data.
These concerns were all put to the ICO by ARCH back in July 2009 – and the ICO first declared the YJB had no case to answer, then stopped responding to correspondence altogether. It was not until ARCH combined forces with other concerned organisations, including Genewatch UK, Privacy International and the Open Rights Group and wrote directly to Information Commissioner Chris Graham in June of this year that he responded, apologising for his organisation’s earlier failure to act and blaming "oversight".
He wrote: "Management information systems should not need to identify individuals and we therefore need to discuss your concerns about the system with the YJB urgently."
In July, a representative of the ICO met with the YJB, which finally accepted that the data being uploaded was personal data, and that it was legally responsible (ie, the data controller) for the information they hold. They promised that they would "review" the issue.
ARCH then wrote to the ICO asking it to use its s40(8) powers to take enforcement action, "given the flagrant nature of the breach and its potential for grave prejudice".
ARCH added: "A failure to take enforcement action would amount to a clear failure to regulate."
So far the ICO has declined to act, citing its own previous incorrect advice, and claiming that "the staff who have access are contractually obliged not to misuse information to which they have access". So that’s OK.
A spokeswoman for the YJB told us: "In response to the new opinion the YJB is working closely with the ICO to determine what steps are required to resolve this situation. The YJB is also seeking authoritative information assurance advice from a CESG CLAS (CESG Listed Adviser Scheme) consultant, which we will share with the ICO to determine next steps.
"It is important to note the ICO has not made any suggestion the YJB is processing personal data through the Youth Justice MIS unfairly."
A spokesperson for the Information commissioner’s Office (ICO) said: “The ICO has found that the Youth Justice Management Information System holds personal information, which could in some circumstances lead to the identification of an individual... We are currently working with the Youth Justice Board on a complete review of their management information system to ensure any information collected and held is done so in compliance with the Data Protection Act."
It added, "Having taken into account all the circumstances we do not believe that the immediate suspension of this database is a necessary course of action at this time. We will continue to work closely with the organisation throughout the review to ensure the privacy of individuals remains of utmost priority.” ®