Double standards on data protection

There is one positive side to the revelation that my bank account details, along with those of millions of other parents, are at large on a missing computer disk that Her Majesty’s Revenue & Customs sent by post to the National Audit Office. We can all enjoy the pleasure of watching the government squirm.

Talk about being hoist with your own petard: can this really be the same government that forces businesses to register with the information commissioner if they want to keep personal information about customers on a computer system – and which threatens them with a £5,000 fine if they fail to observe the pernickety detail of the Data Protection Act?

Does your internet shoe shop keep on record the fact that Mrs Jones of Llandudno suffers from bunions? That will be £35 to register that detail. It doesn’t stop there, of course. You must assess on a regular basis whether your business really needs to know about Mrs Jones’s bunions, and to delete the information if necessary.

You must ensure the information is kept somewhere under lock and key, and you must be prepared to answer Mrs Jones when she demands just how much you know about her bunions. And if you fail to let the commissioner know of any changes to the data, you can be fined five grand.

Scary stuff. But the commissioner does want to help you: just read the 162-page manual on how to undertake a “satisfactory adequacy audit” of your company. It tells you how to set up focus groups, conduct interviews and hand out questionnaires – all beautifully illustrated with impenetrable flow diagrams.

If, on the other hand, you are an official at HMRC with the personal bank details of millions of taxpayers, don’t worry about data protection: just bung an unencrypted CD of everyone’s bank account details in the post. Never mind that it might end up in the paws of some offshore criminals.

On the one hand you have obsessive bureaucratic processes that are supposed to be followed by every business – from banks to a one-man mail order company – and on the other you have a complete absence of common sense. In fact, I am not entirely sure the two things are not unrelated: bury people beneath reams of dogmatic regulations and they swiftly lose their capacity to think.

I suspect HMRC is not alone in its ham-fisted handling of data. Leaks become inevitable when the government collects so much of the stuff. The construction of databases has become a vast public sector industry, funded out of fees charged to those required to fill out forms. Much of this data collection is pointless.

Take the Norfolk engineering firm that was sent a 13-page Annual Business Enquiry Form with such questions as “what is the total net value of finished work of a capital nature carried out by your own staff produced for your own use?”. Why does the government need to know this when few businesses would even bother to calculate such an arcane figure?

The government, by the way, is not quite so forthcoming about divulging the data it keeps on us. I decided to write to MI5 and ask the organisation, under the Data Protection Act, to tell me whether or not it kept a file on me. I was sent a form demanding all my addresses since birth and asking me “is there any reason why you think we should keep any data on you?”.

Having filled that in, I was sent a weaselly-worded letter saying, “We have conducted a search of Security Service Records and have determined that the Service does not possess any personal data to which you are entitled to have access”. In other words: “We might have a file on you, we might not. We’re not telling you. But thank you for the personal details you provided us, and for the £10 cheque.”

Perhaps I should try the same kind of double-speak next time the government tries to get some data out of me: “I don’t have any information on my annual turnover that I am allowed to give you.”For more articles by Ross Clark, click here.

Share this story

Close
Menu
Send this to a friend