I’ve occasionally blogged about databases concerning UK youth. One of the problematic ones is a database of those considered youthful offenders. The Information Commissioner’s Office (ICO) has been speaking with the Youth Justice Board (YJB) over the administration of the Youth Justice Management Information System (Youth Justice MIS), as the database not only contains a great amount of sensitive information, but there seem to be a lot of people who can access the information, which is always cause for concern.
In the current issue of the bulletin on their site, the YJB discusses its most recent meeting with the ICO:
…. It was agreed that the YJB needed to continue collecting ‘mandatory’ data items in order for them to meet their statutory obligations under s41 of the Crime and Disorder Act 1998. However, the ICO’s view that data contained within the Youth Justice MIS should be considered as ‘personal’ data for the purposes of the Data Protection Act 1998 had not changed and the YJB recognises that the data should be treated accordingly.
[….]
As an interim measure, the YJB has commissioned technical changes that will result in key non-mandatory data items being removed from the core dataset available to Youth Justice MIS users.
Note that the data are not being removed from the database but are merely being removed from what is most widely available to users. As a temporary measure, it will also temporarily remove the date of birth from what is available to most users of the system, even though date of birth is a mandatory piece of information that they collect.
In addition, the YJB will restrict user access to view this data, so only those users with a need to know will have access to sensitive personal data.
Which is as it should always have been.
These changes to how data is shared will be applied retrospectively to all data currently held within the Youth Justice MIS and to any new data uploaded. This should immediately address the concerns raised around personal data items held in Youth Justice MIS and mitigate any potential legal threats that YOTs may face from third parties.
Ah yes, let’s protect our own from litigation.
As a separate activity, the YJB is going to undertake an audit of inactive accounts, with the view to deactivating redundant user accounts.
Again, why hasn’t this already been part of their procedures? Have we not seen more than enough evidence of employees and others snooping into databases that contain sensitive information? Tiered access controls, auditing access on a regular basis, and removing data that does not need to be made available are all sound data protection policies. It’s a shame that it’s taking pressure from advocacy groups and the ICO to get YJB to do what seems somewhat obvious to do. I expect that the ICO and advocacy groups will keep pressure on them to move as quickly as possible to harden their privacy and security controls.
Of course, what the YJMIS proposes are interim steps. In the interim, though, youth’s sensitive data continues to remain at risk of snooping or exposure.