III. Privacy topics
Internet and consumer privacy
The UK has not been successful in fostering a culture of security for personal data. Personal data from government computers are regularly disclosed inadvertently or for profit-making purposes. The ICO released two reports in 2006 revealing an extensive illegal trade in personal data among police and private detectives who obtain information through bribery or impersonation.6 There have been a series of major losses of personal data in recent years, mostly by government bodies. In one of the most high profile cases, HM Revenue and Customs (HMRC) lost 25 million records belonging to 7.25 million UK families receiving child benefit.7 Other major cases include a contractor in Iowa, USA, losing 3 million UK driver records,8 the Ministry of Defence losing a laptop with the personal data of 600,000 recruits,9 and PA Consulting, a major contractor for the National ID system, losing 377,000 information records that included 84,000 UK prisoners in August 2008.10 The National Health Service has been a particularly bad culprit, responsible for more than 300 breaches between November 2007 and June 2010.11 There have also been numerous incidents in the financial services sector, resulting in large monetary sanctions from the Financial Services Authority. Overall, the ICO received reports of over 400 breaches over the 2009-2010 period. These incidents have led to increased calls for the adoption of a national breach notification law, under which organisations would be compelled to report the loss or misuse of personal data. To date, only a few European Member States, including Germany and Austria, have enacted breach notification legislation.
Online targeted advertising and search engine privacy
Nothing to report.
Online social networks and virtual communities
Nothing to report.
Online youth safety
Nothing to report.
Nothing to report.
Health and genetic privacy
The British Medical Association, amongst others, has already expressed concern that the Spine database system is being rolled out too quickly and there have been recent media reports to the effect that an NHS Trust in Wales is failing to ensure that proper restrictions are being placed on hospital staff accessing patient data.
The police have been criticised for building up a database of protesters. In the case of Wood v. Commissioner for Police of the Metropolis (2009),12 the Court of Appeal found that the Metropolitan Police had acted unlawfully when it retained photographs which it had taken of an anti-arms trade campaigner.
In March 2009, the Joseph Rowntree Reform Trust published its report "The Database State" which considered 46 databases across the major government departments including the national DNA database, the national pupil database, the NHS detailed care record system, and the automatic number-plate recognition system.
In summary, the report concluded that: a quarter of the 46 databases reviewed were "almost certainly illegal under human rights or data protection law; that they should be scrapped or substantially redesigned" (including, for example, the Contactpoint index of all children in England and the national DNA database); "more than half have significant problems with privacy or effectiveness and could fall foul of a legal challenge" (including, for example, the NHS Summary Care Record and the National Pupil Database); fewer than 15 percent were "effective, proportionate, and necessary with a proper legal basis for any privacy instrusions"; Britain was generally out of line with other developed countries as a result of its comparably greater tendency to centralise and share records on sensitive matters like healthcare and social services; that "the benefits claimed for data sharing are often illusory".
Under a voluntary moratorium agreed by the former Labour government and the insurance industry in 2001 and renewed in March 2005 and June 2008, insurance companies will not demand or use the results of genetic tests for policies under £500,000 unless approved first by the Genetics and Insurance Committee. The moratorium lasts until 2014. Tests done for research studies do not have to be disclosed.13 The level of protection for employees is less clear.14 Certain groups had demanded legal protections against genetic discrimination in the Equality Bill, but these were not included in the final draft of the legislation.15
- 1. The Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003 No. 2426, September 18, 2003, available at http://www.hmso.gov.uk/si/si2003/20032426.htm; The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2004, available at http://www.opsi.gov.uk/si/si2004/20041039.htm ; see also "Spam": Report of an Inquiry by the All Party Internet Group, October 2003, available at http://www.apig.org.uk/spam_inquiry.htm.
- 2. Information Commissioner’s Office, Bluetooth spam not covered by ICO guidance, 11 October 2007, available at http://www.ico.gov.uk/upload/documents/pressreleases/2007/bluetooth.pdf.
- 3. "UK companies 'flouting spam laws'," Silicon.com, 8 January 2007, http://www.silicon.com/management/cio-insights/2007/01/08/uk-companies-f....
- 4. "Court victory hailed as spam stopper," The Guardian, 28 December 2005.
- 5. "OFT gains powers to seize spammers' PCs," ZDNet, 28 February 2007, http://www.zdnet.co.uk/news/security-threats/2007/02/28/oft-gains-powers....
- 6. Information Commissioner’s Office, What Price Privacy?: The unlawful trade in confidential personal information, May 2006; What price privacy now? The first six months’ progress in halting the unlawful trade in confidential personal information, December 2006. Available at http://www.ico.gov.uk/. See also "Officer jailed for leaking police records to violent criminal," Out-Law, 13 April 2007, http://www.out-law.com/page-7956.
- 7. "UK's families put on fraud alert," BBC News, 20 November 2007, http://news.bbc.co.uk/2/hi/uk_news/politics/7103566.stm.
- 8. "No cover-up' on lost driver data," BBC News, 22 August 2008,
- 9. "MoD admits loss of secret files," BBC News, 18 July 2008, http://news.bbc.co.uk/2/hi/uk_news/7514281.stm.
- 10. "Home Office data loss included drug records," ZDNet UK, 27 August 2009, http://www.zdnet.co.uk/news/security-management/2009/08/27/home-office-d....
- 11. "NHS top culprit as UK data breaches exceed 1,000", ZDNet UK, 1 June 2010, http://www.zdnet.co.uk/news/compliance/2010/06/01/nhs-top-culprit-as-uk-....
- 12. EWCA Civ 414.
- 13. Concordat and Moratorium on Genetics and Insurance, March 2005, available at http://www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/@dh/@en/docu....
- 14. See Genewatch, "Genetic Testing in the Workplace," June 2003, available at http://www.genewatch.org/uploads/f03c6d66a9b354535738483c1c3d49e4/Geneti....
- 15. Equality Act 2010 (c.15), available at http://www.opsi.gov.uk/acts/acts2010/ukpga_20100015_en_1.