Government databases should be judged on privacy

published 18 September 2009

The public has a right to be concerned over large-scale databases leaking personal information, and it needs to consider mandatory privacy impact assessments (PIAs).

So claims David Wright of Trilateral Research and Consulting, speaking this week at the annual ENISA conference in Greece.

He claimed that there was genuine public fear over governments keeping large databases of information, and people needed to be made certain that privacy wasn't being breached.

He referenced ContactPoint, a database that holds information on 11 million children in the UK, created after the abuse and death of an eight-year old child.

After it became clear that Victoria Climbie had been visited by several social services organisations before her death, public outcry lead the government to look into ways her death could have been prevented. This resulted in the formation of ContactPoint, with the aim of trying to better protect vulnerable children.

He said: "Unfortunately, the database that was set up to control one problem created another set of problems, in particular criticism over privacy and data protection."

Wright said that concerns were justified, given that 330,000 people would have access to the database. He added that making sure initiatives like these underwent PIAs could enable better decision-making and address any privacy concerns.

He described PIAs as a "systematic process for evaluating the potential effects on privacy of a project, system or scheme, legislation or technology and ways to mitigate or avoid adverse affects."

In the UK, PIAs are still voluntary. But in other countries such as Canada, all government initiatives that could raise privacy risks need to be looked at, with the results shared with a privacy commissioner.

"There has been discussion about making PIAs mandatory for government agencies in the UK, but so far this hasn't happened," Wright said.