Jane Fae Ozimek reports:
Children’s Rights Group ARCH has threatened to take the Information Commissioner to a judicial review after the data regulator declined to take enforcement action the Youth Justice Board for unlawfully collecting and distributing data.
According to Terri Dowty, Director of ARCH, the Youth Justice Board (YJB) is continuing to process data without consent, in a manner that is possibly discriminatory and even dangerous to the individuals concerned.
However, despite an admission by the Information Commissioner that his office may have misunderstood what the YJB was doing with its data, and an undertaking to investigate the matter further, no enforcement action has yet been taken.
I can see why they’re upset. Ozimek reports how the system works:
client-level data is taken directly from YOT [Youth Offending Teams] systems via software extensions commissioned from existing system suppliers. The data is notionally divided into “mandatory” and “discretionary” items although, according to ARCH, the software tool automatically copies all data, anyway. Nor is it clear where or at what point each YOT obtains the data subject’s consent to share “discretionary” data.
At issue is the fact that YJMIS [Youth Justice Management Information System] uploads all data on individual clients, field for field, without aggregation, including ethnicity, date of birth, gender and where available postcode sector – that is, the first half of the postcode (outbound) plus the first digit of the second half.
Read the full story in The Register.
They should read Paul Ohm’s articles on re-identification and how easy it is to identify people based on only a few pieces of data, much of which they seem to include in their database.