Non-police orgs merrily accessed PNC without authority, says HMIC
Campaigners bemoan 'shadowy way' Police National Computer is run
Her Majesty's Inspectorate of Constabulary (HMIC), which inspects Britain's police forces, has reported on several cases of misuse of the Police National Computer (PNC) by non-police organisations.
The PNC is a law enforcement database that holds personal information about people arrested by police or convicted of crimes – as well as similar information about people who have come to police notice for whatever reason but are not convicted of any offence.
After its inspections, which were carried out in 2014, HMIC reported it found that the Scottish Society for the Prevention of Cruelty to Animals (SSPCA), the Gangmasters Licensing Agency, the FCA and Children and Family Court Advisory and Support Service were all accessing the PNC. They once had contracts allowing them do so, known as Supply Agreements, but they have long since expired.
In a blog post on these reports, campaign group Big Brother Watch noted:
The FCA was one of the worst offenders, not only had they failed to re-apply for access for three months prior to the inspection, but the original agreement setting out what uses of the PNC were permitted was found to be extremely vague. The fact that under the Investigatory Powers Bill the FCA are set to get more powers to snoop on our browsing habits is something that adds even more concern to the situation.
Big Brother Watch additionally stated: “It is astonishing that all these agencies could continue accessing the PNC, in some cases for years, without anything being done to stop it. They may well have persuasive cases to make supporting their access, but they have to follow the rules and actually make them rather than simply carrying on regardless.
Hullo hullo hullo, what's all this, then?
The PNC exists in one of the more curious and obscure legal hinterlands of British law enforcement.
Based on the same Fujitsu mainframe it was installed on in the 1970s, the PNC was owned by the Association of Chief Police Officers (ACPO) until that body was replaced by the National Police Chiefs' Council (NPCC) last year .
Unlike ACPO, which was a private company, the NPCC doesn't exist as a legal entity but is rather a collaboration established by a legal agreement between “relevant parties” under Section 22A of the Police Act 1996. Whether the NPCC may therefore own the PNC isn't clear, and neither the NPCC press office nor the Home Office were able to clarify this for The Register at the time of publication.
While the PNC is managed and controlled by the Home Office, the ministerial department in charge of policing, the information it contains is contributed thereto by the individual police forces, who together form the NPCC. While individually these forces are beholden to the Home Office, they collectively, as ACPO in 2014, actually had “the right to withdraw the use of PNC from the Home Office if they have reason to believe it has been misused.” (PDF)
Police misuse of the PNC has been widely documented. Earlier this year the Biometrics Commissioner reported that forces have been hacking the PNC in different ways to avoid it flagging suspects' biometric data for deletion after their release.
Access to the PNC extends much further than the cops, however, and HMIC has published a number of reports highlighting misuse amonst 10 non-police agencies, including the Financial Conduct Authority (FCA) and the Scottish Society for the Prevention of Cruelty to Animals (SSPCA).
While the list of non-police organisations that HMIC reported on is not an exhaustive list of all who can access the PNC, the 10 inspected agencies alone made more than 50,000 queries of the PNC in less than two years, either through “discrete computer terminals installed in their premises”, which is known as “direct access”, or “through a third party, usually a police force”, a process known as “indirect access”.
“In either arrangement,” HMIC reported, “the public needs to have confidence that access is properly regulated and that effective auditing arrangements are in place. This is important because much of the information held on the PNC is sensitive and personal.”
Big Brother Watch had the final word: “It’s high time that more information is released to give citizens a better understanding of who can access the PNC, what is held on it and how long it is kept for. For too long the PNC has been run in a shadowy and un-transparent way. This news simply raises the possibility that even those in charge of it have no idea what is going on.” ®