NO2ID

Given how inept the Home Office has failed to implement policies of Data Minimisation (as recommended in the Data Sharing Review by the Information Commissioner Richard Thomas and Dr. Mark Walport), and in its lax supervision of the data handling and security practised by its sub-contractors like PA Consulting, we are very worried by the potential for disaster which will come into force on the 1st October

Statutory Instruments 2008 No. 2353 - Disclosure Of Information The Serious Crime Act 2007 (Specified Anti-fraud Organisations) Order 2008

Specified anti-fraud organisations

2. The following anti-fraud organisations are specified pursuant to section 68 of the Serious Crime Act 2007--

(a) CIFAS;

(b) Experian Limited;

(c) Insurance Fraud Investigators Group;

(d) N Hunter Limited;

(e) The Insurance Fraud Bureau;

(f) The Telecommunications United Kingdom Fraud Forum Limited.

How many unencrypted databases, laptop computers, USB memory devices, CDROMs etc will these organisations, or the public bodies which disclose information to them, manage to lose or have copied by corrupt insiders ?

Sections 68 - 72 of the Serious Crime Act 2007 allows for such notorious data security bunglers as HM Revenue and Customs, or any other public body, to hand over, in bulk, our most sensitive personal financial information to the private sector companies and industry sponsored not for profit organisations.

This means that not just purely financial data can and will be shared, but personal names, addresses, medical records (e.g. to insurance companies) , sexual preferences, political allegiances etc. could also be shared, "for the prevention or detection or prosecution" of fraud.

There is a worthless restriction on these infinite powers:

(4) But nothing in this section authorises any disclosure of information which--

(a) contravenes the Data Protection Act 1998 (c. 29); or

(b) is prohibited by Part 1 of the Regulation of Investigatory Powers Act 2000 (c. 23).

However, neither of those bits of legislation place any restrictions on public authorities whatsoever, once the magic words "for the prevention or detection of crime" or "national security" (which includes the vague term "economic interests of the United Kingdom") have been uttered.

72 Data protection rules

In Schedule 3 to the Data Protection Act 1998 (c. 29) (conditions for processing sensitive personal data), after paragraph 7, insert—

“7A (1) The processing—

(a) is either—

(i) the disclosure of sensitive personal data by a person as a member of an anti-fraud organisation or otherwise in accordance with any arrangements made by such an organisation; or

(ii) any other processing by that person or another person of sensitive personal data so disclosed; and

(b) is necessary for the purposes of preventing fraud or a particular kind of fraud.

(2) In this paragraph “an anti-fraud organisation” means any unincorporated association, body corporate or other person which enables or facilitates any sharing of information to prevent fraud or a particular kind of fraud or which has any of these functions as its purpose or one of its purposes.”

information as to—

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the [1992 c. 52.] Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceeding