Public bodies and private corporations including Internet giant Google are flouting the public’s right to access personal data being held on them, according to a major new international study.
Researchers found that nearly half of data holders either failed to disclose the private information they stored on citizens or did not give a legitimate reason for not doing so when asked.
Among the organisations contacted in the pan-European study carried out by Sheffield University were banks, healthcare providers, supermarkets, universities, security firms as well as the US search engine company.
Attempts to find information were routinely met with serial malpractice as well as obfuscation and ignorance of obligations under the law, it was claimed.
Campaigners described the findings as “shocking” and accused regulators and legislators of failing to safeguard citizens’ rights.
Professor Clive Norris, who led the study – part of the EU-funded Increasing Resilience in Surveillance Societies project - said individuals handed over private data on a daily basis, creating “vast and invisible reservoirs of personal information”.
“We are selectively marketed to, our locations are tracked by CCTV and automated licence plate recognition systems and our online behaviour is monitored, analysed, stored and used. The challenge for all of us is that our information is often kept from us, despite the law and despite our best efforts to access it,” he said
“In our view, there is an urgent requirement for policymakers to address the failure of law at the European level and its implementation into national law. Organisations must ensure that they conform to the law,” he added.
Under the EU Data Protection Directive which has been enshrined in domestic laws in Europe since 1998, and which is set to be updated in the new Parliament, individuals have a right to be told what data is held on them – such as criminal and health records, consumer loyalty card information and even CCTV images.
As well as the 43 per cent that did not respond adequately to inquiries, a further 56 per cent of sites contacted failed to provide a legally compliant answer to reveal who that information was shared with.
Even when a successful outcome was achieved the process was described as fraught and time-consuming, with researchers greeted with scepticism and suspicion. Responses were delayed or incomplete in some cases.
In seven out 10 cases, the question of whether private details were being passed automatically between company computers was not adequately addressed.
The authors of the study, who made approaches to 184 public and private sector organisations across 10 countries, found that in a fifth of cases it was impossible to locate an individual controller responsible for dealing with an organisation’s data responsibilities.
Researchers made seven requests to Google during which they were confronted with a “number of difficulties”, the study found.
In one instance two letters were returned from the company’s national headquarters with a notice saying the recipient had not taken delivery. When requests could be made to national offices the company refused to process the application arguing that Google’s data controller was based at the company’s headquarters in California. No offer was made to forward the requests.
Once the applications were sent to Google HQ, only one received a response.
Gus Hosein, executive director of Privacy International said: “The results of this international study are shocking, and point to a disappointing failure on the part of those who handle our personal information and those who are supposed to enforce our rights."
He added: “Companies are putting profit ahead of our rights, regulators are asleep, and Parliaments incapable of responding to the expansion of the voracious data industry.”
Google declined to comment on the research which is being presented at a conference in Sheffield this week.
A spokesman for the Information Commissioner’s Office, which is responsible for upholding data rights in the UK, said the Data Protection Act required a response to requests within 40 days.
“Failure to do so is not only a breach of the Act, but will quickly result in the loss of consumer trust and business,” the spokesman added.