The European Union has been warned to sort out data quality in its IT systems that manage asylum and migration, and improve efforts to ensure people know how to exercise their personal data rights.
In a report on the collection, storage and use of biometric data in asylum and migration IT systems, the EU Agency for Fundamental Rights (FRA) called for action before the bloc sets up interoperable systems.
The main databases are the Schengen Information System (SIS II) for wanted individuals or stolen objects, the Visa Information System for biometric data, and the Eurodac fingerprint database for asylum seekers.
Four new systems are planned, including databases for criminal records and travel, and an overarching system pushing interoperability across existing and planned databases.
The report focuses on the impact such systems have on fundamental rights, as set out in various EU laws and the European Charter on Human Rights, and is based on fieldwork and interviews with asylum seekers and border force staff.
It found that, while biometric information was usually accurate, other IT systems contained inaccurate alphanumeric data, such as names or dates of birth, for a variety of reasons.
The FRA said that despite "significant efforts" to improve data quality, more attention is needed to ensure that low-quality information doesn't hinder people's rights, especially in systems used for asylum and border management.
Yorkshire cops have begun using on-the-spot fingerprint scannersREAD MORE
For instance, if someone is suspected of intentionally providing a false identity, it could affect the perceived trusthworthiness of their whole claim, the report said.
It also noted that Eurodac data quality tends to be more consistent than that in VIS, because member states are responsible for controlling the quality of VIS, while Eurodac is done centrally by the EU agency for operational management of large-scale IT systems (eu-LISA).
Such differences could have an impact on overall data quality when IT systems become interoperable, the FRA said. Member states need to make sure the information they store is accurate for it to be transferred to EU IT systems.
This is especially true because a person's biometrics will then be connected to their name in all other systems, which could make it harder for people to argue against mistakes.
"National authorities and experts attach a high degree of credibility to biometric data, and processing such data is technically complex," the report said.
"This makes it difficult for persons concerned to rebut errors in IT systems, and even more difficult to prove that a biometric match was incorrectly generated. FRA research shows that mistakes can occur when, for instance, a person's fingerprints are mistakenly linked to another person's alphanumeric data."
The report urged member states to adopt the best practices set by eu-LISA. This should include efforts to set EU-wide guidelines on cultural norms, like naming cultures and dates of birth according to various calendars.
In addition, it called for simplified procedures and technical safeguards to reduce mistakes, and more focus on the collection of statistics on inaccurate and low quality data.
Elsewhere in the report, the FRA said that despite data quality issues, complaints about incorrect or unlawful data use are rare.
However, it suggested that this might be because of people's lack of awareness or understanding of how to exercise their rights to access, correction or deletion. This it put down to the cumbersome nature of the process, admin hurdles, language barriers and a lack of specialised lawyers.
UK Home Office grilled over biometrics, being clingy with folks' mugshotsREAD MORE
"Such difficulties may be exacerbated if IT systems are made interoperable," it said. "The establishment of a 'one-stop-shop procedure' for receiving requests to access, correct and delete data could simplify procedures."
The report also called for increased data security safeguards on these systems to ensure asylum and migration data aren't unlawfully accessed, and make sure they only print and store hard copies where doing so is "duly justified".
Log files should be kept to monitor access, specifying who accessed a system and why, and these should be available to national data protection agencies and the European Data Protection Supervisor on request.
Lawmakers should also ensure that legislation on interoperable IT systems don't result in "circumventing access rules included in the legal instruments establishing the individual IT systems", it added.
The FRA also pointed out that, as Europol databases on stolen and lost travel documents and on individuals subject to alerts are linked to EU systems, member states need to be careful to manually review any information that has been entered by third countries.
"Oppressive regimes may include information about political opponents in these Interpol databases to prevent them from leaving the country or to track their movements," it said.
Related to this, the FRA sets out concerns about transfer of data to third countries, which could be damaging to those seeking international protection, and calls on authorities to take care not to share information with home countries when a person lodges their initial claim.
Meanwhile, using the IT systems to find and apprehend migrants in an irregular situation, for instance a list of people whose right to stay has expired, must be done with caution.
It warned against apprehension near essential service providers like schools or healthcare centres, which would affect fundamental rights. A similar argument against deterring migrants from seeking healthcare has been made against NHS Digital's sharing of non-medical NHS information with the Home Office for immigration enforcement.
The report also noted that border guards they interviewed said it would be possible to use IT systems to trace missing children – who can slip through the net if they enter unaccompanied, and fall victim to abuse or exploitation – but that the focus remains on catching perpetrators. ®