The RPSCA will PNC you now

police-2Over the last few years we have highlighted various privacy concerns about a range of government databases, from the National DNA Database to the DVLA database. Our report in 2011 found how nearly 1,000 police officers had been disciplined for unlawful accessing information over a three year period. Violations of the Data Protection Act included running background checks on friends and potential partners and passing on sensitive information to criminal gangs and drug dealers.

Today The Register has revealed that the RSPCA is able to access information from the PNC, despite not having any formal prosecution powers and not being a statutory-organisation. The information handed over is subsequently going unaudited by the Association of Chief Police Officers Criminal Records Office (ACRO) – run by the Association of Chief Police Officers – who also charge for the access. This is despite the PNC User Manual specifically stipulating that auditing is required for organisations that have had access to ‘sensitive information’. If auditing is not being carried out, it is impossible to know whether the RSPCA are using the sensitive data under necessity and proportionately and if they are deleting it when their investigation has concluded.

The issue with the PNC is not merely about who has access to the information, but also about what kinds of information is being stored on it. Recently, a woman claimed that she has been harassed by police in High Wycombe after she ended a relationship with an officer. The woman has claimed that officers stopped her more than 70 times for suspected motoring offences including drink-driving and assault. Despite never being convicted of an offence, it has been claimed that officers filed a wealth of intelligence reports on her which have cost her three jobs after CRB checks were carried out.

There are three clear issues with the PNC as it stands. The first is that non-statutory bodies should not be able to gain access to information unless granted to do so by the courts. Secondly, if they are granted access to this information it is integral that they are then regularly audited to ensure that the information is being used, stored and deleted correctly. Thirdly, the databases should not be able to include any non-administrative information that has not been proven in court, unless there has been authorisation form a court to do so.

The RSPCA is not a part of the police service. It is not a criminal prosecutor. It is not a body established by Parliament to prosecute crimes. It should not have access to the Police National Computer, and nor should any other organisation of similar standing. If it wishes to see information held within it, it should go to court for a warrant.

Perhaps most illuminating of all, the Home Office confirmed to the Register – in response to this [PDF] information request – that it knows nothing about the legal basis of the agreement.  The Information Commissioner’s Office says it has never been challenged on the legality of the arrangement. Until now – we plan to file a complaint demanding the ICO investigates the lawful basis for this arrangement immediately, and orders the cessation of any third party sharing of PNC data until such a legal basis has been established.