The Equality and Human Rights Commission says government needs to overhaul its data protection regime
The Equality and Human Rights Commission (EHRC) has charged that the government’s legal framework covering the collection, use and storage of personal data is deeply flawed and is likely to lead to an increasing frequency of data protection breaches, many of them inadvertent.
That’s because the current legal framework means government agencies are often unaware of their obligations and may be unaware when they break data protection laws, according to the EHRC’s new report, “Protecting Information Privacy”.
It’s also too difficult for citizens to find out which public or private-sector bodies hold information on them, or to find out whether the data is correct or being handled in the right way, according to the report.
The situation is ripe for more abuses as organisations seek and store increasing amounts of personal information. The new technologies enabling this process might also be exempt from current laws, according to the report. At the moment, for instance, there is no law covering the images captured by CCTV cameras.
The EHRC urged the government to simplify current privacy laws and to oblige government agencies to justify their requests for personal data, to ensure compliance with the Data Protection Act, the Human Rights Act and the Regulation of Investigatory Powers Act.
“The state is holding increasing amounts of information about our lives without us knowing, and without us being able to check that it’s accurate or challenge this effectively,” said EHRC commissioner Geraldien Van Bueren in a statement.
“This needs to change so that any need for personal information has to be clearly justified by the organisation that wants it. The law and regulatory framework needs to be simplified, and in the meantime public authorities need to check what data they have and that it complies with existing laws.”
The European Commission agrees that data protection legislation reform is needed and is working on a comprehensive new framework for data protection across Europe this year.
Speaking of the upcoming reform of the EU Data Protection Directive in May, EU Justice Commissioner Viviane Reding highlighted the same issue of simplification.
“I want to reduce the current fragmentation of the EU legal framework and further harmonise data protection rules across the EU, while maintaining a high level of data protection,” she said at the time. “I also intend to reduce the administrative burden for businesses. We have to cut all those notification obligations and requirements which are excessively bureaucratic, unnecessary and ineffective. We need to focus on those requirements which enhance legal certainty.”
Reding’s proposals will include holding non-EU organisations responsible for upholding European data privacy laws, meaning companies such as Google, Yahoo and Facebook could be held to account.
Also in May, an opinion document from European Data Protection Supervisor (EDPS) Peter Hustinx was accepted by the Article 29 Working Group, arguing that geo-location data should be considered private. This means that mobile service providers will have to gain the user’s explicit permission to collect or relay location data.
The ICO has been ramping up the pressure on organisations to protect personal data, and in July warned private businesses that they should be more willing to undergo data protection audits.
The warning came after the Information Commissioner’s Office (ICO) published figures in its annual report which showed that private companies reported the most data security breaches of any sector in 2010/11.