Featured Article – Data About You Held By UK Government

In this article, we look at not just the story of how a staggering 400,000 police records were accidentally deleted but also at the wider picture of what information is held about us UK citizens by the authorities, and what powers we have over that data.

Deleted

After first being reported in the Times newspaper, momentum has grown around the story of how it appears that due to “human error”, according to Home Secretary Priti Patel, some 400,000 police records have been deleted from the Police National Computer (PNC) database.  When the story first broke, it was reported on some UK TV news broadcasts that 150,000 records had been deleted and that these were for people where no further action was needed on their cases anyway.

For example, policing minister Kit Malthouse has been widely quoted as saying that “the affected records apply to cases where individuals were arrested and then released with no further action, and we are working to recover the affected records as a priority”.  Mr Malthouse has also said, however, that he is not entirely sure yet whether the loss of data of these police records could have an operational impact on the work of the police.

Types of Records

The types of records believed to have been deleted include 200,000+ offence records,175,000 arrest records, and 15,000 person records, as well as 26,000 DNA records, 30,000 fingerprint records, and 600 ‘subject’ records.

Human Error?

It has been reported that the human error that is being blamed for the mass deletion relates to mistakes made on a routine “weeding” session of surplus data and the running of “defective code”.

What Now?

Despite the deletions, it is understood that work is underway to write a new code to somehow restore the lost data.

Public Safety

Clearly, losing the records of potential or known criminals could jeopardise investigations and adversely affect UK justice and public safety as well as letting down victims of crime and their families.

Data Security

In addition to being a threat to public safety, the mishandling or loss of personal data is normally a matter for data security laws. In this case, the data has been deleted and so isn’t in danger of affecting the privacy of security of data subjects. That said, there is an important distinction to make between data handled by businesses and by law enforcement, and to clarify what the data law situation is following Brexit.

The introduction of GDPR saw UK businesses having to upgrade their understanding of (and dealing with) personal data. Since Brexit, the DPA 2018, which already enacts GDPR’s requirements in UK law has been amended by and merged with the DPPEC (Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit)) Regulations 2019 amends the DPA 2018. The new amended and merged post-Brexit data laws in the UK are now known as ‘the UK GDPR’.

Unlike data held and processed by UK businesses however, data held by law enforcement and for the purposes of national security is (according to the ICO) not covered by GDPR (i.e. UK GDPR), which is similar to being exempt. Police data, used for the purpose of investigating a crime, for example, is subject to the rules in Part 3 of the Data Protection Act 2018.

Exemptions and Your Data Rights

There is also an exemption in GDPR for the processing of personal data for the prevention and detection of crime.  According to the ICO, if there had been a data breach from the police, the exemption under GDPR would mean that the police would not have to notify individuals of a personal data breach if that data had been processed as part of crime prevention and detection.  In essence, this appears to suggest that if your data is stolen from a police computer, you don’t have the same rights as if it was stolen from a business computer (i.e. you have lost some of your data protection rights).

What Kind of Data is Stored Where?

This case has triggered questions about the kind of data that is stored about UK citizens by the police and other authorities, as well as where and how that data is stored.

Police ‘data’ could refer to criminal convictions, cautions warnings, and reprimands, but also includes biometric data such as fingerprints and photos, CCTV footage (your image is your personal data), mobile phone messages, texts, emails, other written documents and more.

Police data can be stored by the local police force in your area as well as one of many national databases including, as in this case, the Police National Computer (PNC) or the National DNA Database (NDNAD), National Fingerprints Database (IDENT1), Custody Suite Imaging System (CSIS), and more databases besides.

For How Long?

According to the UK’s College of Policing, information about how long your data can or should be kept by the police is guided by a principle rather than a hard and fast rule, although a policy setting standard retention period should be set “wherever possible”.  The “Fifth principle” of data storage limitation says that for law enforcement and general processing personal data should not be retained for longer than it is needed, and police need to be able to justify how long personal data is retained for, depending on the purposes for holding that information.  This principle acknowledges that individuals have a right to erasure if that information is no longer needed although it also states that “personal data can be kept for longer if the police are only keeping it for public interest archiving, scientific or historical research, or statistical purposes”.

For Biometric Data (i.e. fingerprints and DNA) in most cases, the Protection of Freedoms Act 2012 amends to the Police and Criminal Evidence Act 1984 (PACE) to allow police in England and Wales to keep a person’s biometric information indefinitely. 

Criminal Records Check

Employers can request a basic, standard, or enhanced AccessNI check from the police records which discloses different types of information about a person’s criminal record history.  Basic and standard checks can take about 10 days whereas an enhanced check can take about 3 weeks.  Convictions for certain crimes will appear on these checks but some cautions, fines, offences and spent convictions won’t appear.

The different levels of checks are:

Basic – for details of all convictions considered to be unspent.

Standard – containing details of all spent and unspent convictions, informed warnings, cautions and diversionary youth conferences.

Enhanced – contains the same information as a standard check and police records held locally.  This type of check is usually required for work with children and vulnerable adults, the check may include information held by the Disclosure and Barring Service (DBS).

Requesting Your Data To Be Removed From Police Records

There are some circumstances under which a persons’ data, including biometric data in some cases, can be removed from police records on request. These circumstances are detailed here: https://www.acro.police.uk/Services/Record-deletion and guidance about the process is given here: https://www.acro.police.uk/ACRO/media/ACRO-Library/Deletion-of-Records-from-National-Police-Systems-(Guidance)-v2-1-April-2020.pdf.

Freedom of Information Request

In addition to much of the work of the police being kept secret for obvious reasons, much of the work of the UK government is also subject to laws relating to (national) security and privacy, although there is a wish to allow transparency where possible and where risks are minimised. The government actively publishes a lot of information and engages with the media as part of this transparency process.

Sometimes there are situations where individuals and organisations would like to find out more from the government (or the police) than what has been published or made freely available.  As the Institute for Government says, “Freedom of information, parliamentary questions and ministerial correspondence are important mechanisms through which Parliament and the public can get information out of government”.

The Freedom of Information Act 2000 allows members of the public and press to submit Freedom of Information requests (FOI).  If certain conditions are met, public authorities are then required under this act to release any information they hold relating to the request.  The Freedom of Information Act applies to government departments and the executive agencies and public bodies they sponsor, parliament, the armed forces, devolved administrations, local authorities, the NHS, schools, universities, and police forces.

Submitting a Freedom of Information Request

Anyone can submit a Freedom of Information request (FOI) and there are no restrictions on nationality, residency status or age. A request must ideally be made in writing (or verbally if writing is really not possible) and be sent directly to the relevant organisation, stating clearly what information is being requested, providing the requester’s real name with a valid address (postal or email) to where the reply can be sent.

If the recipient (e.g. a government department) decides that the request is resolvable, it may choose to either provide all or just some of the information that has been requested and it may decide to withhold some or all the information that has been requested. 

Numbers

Government departments usually receive up to 8,000 Freedom of Information requests every quarter.  In Q2 of 2020, for example, 6770 requests were received by the UK government.  Only 4956 of these were deemed to be resolvable and 1884 of these resolvable requests were withheld in full.

Guidance on submitting a Freedom of Information Request (FOI) can be found here: https://www.gov.uk/make-a-freedom-of-information-request

Looking Ahead

At the time of writing this article, the matter of the deleted 400,000 police records is still ongoing and information about the incident is still being gathered.  At the same time, questions are currently being asked about matters of responsibility and when the Home Secretary is going to be made available to answer questions about the incident.

The implications of this mass deletion of offence, arrest, person, fingerprint, and DNA records could be that the solving of other crimes committed by known offenders may not be possible because the data is no longer available to cross-reference.  The loss may also already be having an immediate impact on fighting crime as data from the Police National Computer (PNC) is used in real-time checks.  The best-case scenario now is, of course, that the data can be restored and that procedures are changed to make sure that the same error can’t happen again.  If the data cannot be restored this could be a major blow to law and order which could adversely affect individuals, communities, and businesses, and represents a frustrating waste of valuable time, effort, and police resources in gathering the data in the first place.