Robin Wilton's esoterica

... now, what was the question?

A couple of 'identity database' stories hit the news recently: first, there are calls for the government to abandon plans for the life-long retention of an educational achievement record for all students currently aged 14 and under. At the same time, the "Responsibility in Gambling" Trust is calling for the creation of a national database of 'problem gamblers', so that gamblers who ask to be 'self-excluded' from one bookmaker's betting systems can be barred from all the others as well.

As far as the educational records database goes, I think the public is starting, thanks to several recent incidents, to get a pretty good grip on the right questions to be asking about proposals such as this. For example, is the personal data which is to be stored proportionate to the reason for storing it? The Learning and Skills Council database is apparently to contain "only hold factual information such as name, surname, age, postcode, qualifications achieved and courses attended".

Postcode? Isn't that a bit ephemeral? I'm a very long way from having the same postcode as I did the last time I took an exam. The postcode can't be in there to provide an index value, because every student will be assigned a 'lifelong "learner number"' for that purpose, whether or not they subsequently turn out to be a lifelong learner... though the LSC deny that this amounts to an 'ID card by the back door'.

What about the length of time for which it is to be stored? In this case, records are to be kept for the individual's entire working life. I don't know about you, but for all practical purposes (and pretty tenuous they were, too...) I have already forgotten all the Latin I learnt up to the age of 15, so what earthly good it would do anyone now to know what exam grade I got at O level is quite beyond me. On the other hand, I have no academic qualifications whatsoever in computing, IT security, cryptography, cryptographic key management and systems design... so in my case, the record would be entirely silent on those topics, which are arguably of far more practical use to anyone who would be entitled to look at my educational record.

What degree of consent and control can the data subject exercise over whether the data is held, who else is able to access it, and so on? How does that compare to the consent and control an individual is able to exercise over a set of paper exam result certificates? Some countries have systems which provide each citizen with a 'digital lock-box' into which they can put - at their discretion - electronic and digitally certified versions of documents which they might want to produce later on. That seems to me to represent a very interesting re-balancing of capabilities between the data subject and the public body, and one which might do more to convince the public that there is direct benefit to them in the storing of personal data.

Coming back to the database of problem gamblers; I in no way wish to downplay the problem of gambling addiction - it is clearly something which can devastate the lives of those affected and anyone financially co-dependent.  Coverage of the current story has publicised the case of one Graham Calvert, who is suing a bookmaker's firm for failing to exclude him after he had expressed a wish to be barred from gambling with them. Given that he apparently opened a new account in order to be able to resume his gambling, one might feel there was a certain amount of contributory negligence involved.

More recently, this week's "the answer's a database" story concerns the NSDR, or National Staff Dismissal Register. This goes live later in May, and will record details of employees who have been dismissed following charges of  "stealing, forgery, fraud, damaging company property or causing a loss to their employers and suppliers" - whether or not those charges have culminated in a conviction.

One argument, I suppose, will be that if the employer (and the police) conclude that there isn't enough evidence for a conviction, or that dismissal is punishment enough, then there's little to be gained by saddling the dismissed employee with a permanent criminal record. On that basis, though, other aspects of the scheme seem quite undesirable: for instance, the TUC and human rights group Liberty both express concerns that the scheme lacks enough governance measures to protect against false accusation - which could leave just as damaging a blot on the employment record of the accused. Similarly, employees who leave before a disciplinary hearing takes place will also have that recorded on the database... in other words, they risk being blacklisted despit ethe fact that there hasn't been a finding against them.

What looks particularly worrying is the response of the scheme's Chief Executive, Mike Schuck of AABC (Action Against Business Crime), to the point about unsubstantiated allegations. He is quoted as saying that if there's a dispute between an employee and employer about whether an [alleged] incident took place, "the worker will be able to appeal to the Information Commissioner's Office. We are limiting access to the database to employers who can
comply with the Information Commissioner's employment practices code".

Except that the ICO has no responsibility in that area. The ICO's remit includes data protection, privacy and electronic communications, freedom of information (public sector bodies only, not commercial employers), and environmental information regulations. The ICO could issue an enforcement notice if the data subject exercises
his/her right under the Data Protection Act to have false information
corrected, but the ICO has no remit concerning employment practices, and it's therefore hard to see what protection AABC thinks it offers to a dismissed employee disputing an alleged misconduct.

The underlying assumption seems to be that the mere fact of recording stuff in a database somehow overcomes any potential issues about the accuracy or truth of the data recorded, and the shortcomings of whatever governance regime has been put in place. If you talk to the administrator of any sizeable database, the one problem they will almost all own up to is that of data quality. Not scalability, resilience, availability, database design, inflexible reporting or management tools, but simply the amount of stuff in there which is redundant or just plain wrong.

Here's an idea: why not legislate* to make that a mandatory gating factor in every decision to set up yet another database?

*I know this breaks the rule that technologists should not tell policymakers how, whether or when to legislate, but it's at least worth musing about what such a piece of legislation might look like...