The government's approach to the collection and use of personal data is "deeply flawed", according to a report from the Equalities and Human Rights Commission (EHRC).
The EHRC has joined in long running complaints from privacy activists with the publication of a report, Protecting Information Privacy (105-page PDF/716KB), which says public authorities may be unaware they are breaking the law, as the complexity of the legal framework makes their obligations unclear.
It acknowledges that the demand for information is coming from the public and the private sectors, and says there is a risk of eroding the right to privacy.
The report finds that it is difficult for people to know what information is held about them, by which government agency or private sector body, or how it is being used. For example, as there is currently no law regulating the use of CCTV cameras it would be very difficult for someone to find which organisations hold footage of them.
It can be hard to check the accuracy of personal data held, to hold anyone to account for errors in the data or its misuse and to challenge decisions made about someone on the basis of that information. Calling any public or private organisation to account is made more difficult because people often may not know what their rights are or know when a breach of those rights has occurred.
The EHRC says that breaches of privacy are likely to get worse in the future as demand for personal information increases and as new technology is developed that is not covered by existing legislation or regulations. Piecemeal reform of relevant laws, such as the proposals in the Protection of Freedoms Bill, may not be sufficient to ensure people's rights are protected.
In response, it makes a handful of recommendations:
- Streamline the current legislation on information privacy so that it is easier for organisations to understand their responsibilities and simpler for citizens to know and use their rights.
- Ensure that public bodies and others have to properly justify why they need someone's personal data and for what purpose. Any requirement to use personal data for any purpose other than for which it was collected should go through a vetting process.
- All public bodies should carefully consider the impact on information privacy of any new policy or practice and ensure that all requests for personal data are justified and proportionate.
Geraldine Van Bueren, a commissioner for the EHRC, said: "It's important that the government and its agencies have the information they need about us to do their job, for example to fight crime, or protect our health. However, the state is holding increasing amounts of information about our lives without us knowing, being able to check that it's accurate or being able to challenge this effectively.
"This needs to change so that any need for personal information has to be clearly justified by the organisation that wants it. The law and regulatory framework needs to be simplified and in the meantime public authorities need to check what data they have and that it complies with the existing laws."
This article was originally published at Guardian Government Computing.
Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.