Most government departments lack basic data-protection and error-correction policies, responses to a series of Freedom of Information requests have revealed.
Garlik, a UK company that helps people find which of their personal information exists online, sent out the FoI requests between September and November last year. The FoI requests asked 30 government departments four questions about their handling of citizens' personal data.
Only one FoI request went unanswered — that sent to Home Office, which said it had to delay its response "due to public interest concerns". Those that responded included HM Revenue & Customs (HMRC), the Ministry of Justice (MoJ), the Department of Health (DoH), and the Ministry of Defence (MoD), all of which have suffered significant data breaches in the past year or two.
Each government department was asked: whether it has a written data-correction policy; whether it has been audited to ensure compliance with the Data Protection Act (DPA); whether it has funding dedicated to correcting erroneous data; and whether it holds statistical data regarding the correction of incorrect information.
One of the principles of the DPA, which was passed in 1998, states that "data shall be accurate and, where necessary, kept up to date".
The results, revealed on Thursday, were described by Garlik as showing a "dangerous complacency regarding the accuracy of databases containing the personal information of British citizens".
None of the departments answered yes to all four questions posed in the FoI requests. Only three of the 30 departments approached had written correction policies and procedures in place, and only the Driver and Vehicle Licensing Agency (DVLA) and the Department for Transport have had independent audits to check they were complying with the DPA. None said it had funds allocated to or statistics on its correction of data.
"The government's complacent attitude towards managing and correcting our personal data is all the more shocking in light of the 176 public data losses that have occurred this year alone," Garlik chief executive Tom Ilube said in the company's statement on Thursday. "What people really care about is that if the government holds your personal data, it is accurate and well looked after."
"As we head towards ever-larger government databases, it is crucial that government deals more effectively with error rates and handles data in a way that maximises accuracy and prevents future breaches," Ilube said.
Garlik recommended that any government department running a large database should appoint a chief privacy officer to be held accountable for personal information. It also said every government department should have written procedures to manage, monitor and report on the accuracy of the personal information that it holds. In addition, all government departments should be periodically audited to ensure DPA compliance, and the results of those audits should be published, the company recommended.
Garlik was founded by former executives from the online bank Egg, along with former British Computer Society president Nigel Shadbolt. The company's advisory panel includes some of Shadbolt's fellow semantic-web pioneers, such Wendy Hall and Tim Berners-Lee.
The Information Commissioner's Office had not responded to a request for comment at the time of writing.