This page has some real-life (as opposed to hypothetical) examples of abuses of our personal data. See also Data Loss for information on data that has gone ‘missing’. This document is updated from time to time. It was most recently updated on 23 January 2009.
Of course the risk should not be over-estimated. However this page is intended as a counterpoint to the claims along the lines of “if you have nothing to hide you have nothing to fear”, “trust us, we’re the Government and there are laws against data buse therefore it doesn’t happen”, or “if it saves the life of just one child it will be worth it”. Data abuse can even cost lives – as can be seen in the section on June 2007.
It is also important to note that this list is only of articles that I’ve seen. There may be more articles about other instances of data abuse, and there may be many instances of data abuse that have gone unreported.
Also see an external website’s article entitled Group Classification on National ID Cards as a factor in Genocide and Ethnic Cleansing.
For (non-exhaustive) examples of public sector databases, please see the article entitled, The totality of surveillance proposals.
Scotland on Sunday reports, “THE health records of Gordon Brown and Alex Salmond were allegedly hacked into, a newspaper claimed last night. The Prime Minister and First Minister are among several high-profile Scots whose confidential files were allegedly accessed without their permission, according to the report.”
A DWP bulletin says, “Regrettably checks have identified some LA staff are committing serious security breaches. To be absolutely clear, and by way of reminder to all LA users accessing CIS, users should not: access their own records or the records of friends, relatives, partners, or acquaintances; make enquiries on behalf of colleagues in respect of their friends, relatives, partners, or acquaintances; share their system, Government Gateway or other identity password with their colleagues; or access CIS for any unauthorised purpose.”
The Register reports that “A London policeman who attempted to blackmail sex offenders and drug dealers has been jailed for six years. PC Amerdeep Singh Johal, 29, was arrested by anti-corruption cops from Scotland Yard in July 2007. Johal was employed in checking names and address on the police database, called Crimint, on behalf of beat cops. He abused the role to contact 11 convicted offenders and threaten to spill the beans on their crimes unless he was given “hush money”. Johal requested between £29,000 and £31,000 for his silence, threatening to tell work colleagues or neighbours of convicted sex offenders about their crimes. In one instance Johal demanded £89,000 as a “goodwill gesture”. He also used Crimint to research drug dealers, including a member of a group rejoicing in the title The League of Four English Gentlemen.”
The Herald reports that “Seven prominent BBC journalists are among a group of patients who have been warned that their personal health records may have been inappropriately accessed by a doctor. … Yesterday, patients caught in the mysterious drama told The Herald they were deeply concerned by what might have motivated such behaviour. One woman from Glasgow said: “It’s bad enough discovering that my private medical records have been accessed in this way but what’s really disconcerting is not knowing what this guy was up to. “How come someone in Fife can see NHS records for anyone in Scotland? I’ve got absolutely no connection at all with Fife.” “
The Telegraph reports that “Parliamentary answers from three Government Departments reveal that up to 260 officials were disciplined or dismissed “for alleged breaches of data protection requirements and inappropriate use of personal or sensitive data” in the past year. Most of the people – 192 – were disciplined or dismissed at HM Revenue and Customs, which last November admitted losing personal details of 25 million people from the child benefit database. As many as 45 officials could have been disciplined for data protection and personal information breaches at the Home Office agencies including 15 from the Identity and Passport Service in the year to the end of March. Another 20 civil servants were disciplined at agencies run by the Department for Work and Pensions in the 12 months to the end of March.”
Home Office releases figures on numbers of staff disciplined and dismissed for misconduct relating to personal data. Kable reports that “the Identity and Passport Service has dismissed 14 people over the last three years, most for abusing access to the passport database. Of 16 cases where data protection was breached, all but one involved members of staff who had legitimate access to the Passport Application Support System database, and who used this for unauthorised checks not related to their duties. The other case involved a contractor misusing data to which he had legitimate access.” The IPS is to look after the National Identity Register.
The Daily Telegraph reports that “a battered wife’s confidential address details were twice passed to her ex-husband by his girlfriend while she was working in a Government tax office. Mother-of-two Donna-Lee Camacho, 28, lived in fear while her former spouse – who cannot be named for legal reasons – tracked her down. One of the addresses Sarah Gillett, 33, passed on to him was for a women’s refuge where Miss Camacho and her sons, aged four and 11, were trying to rebuild their lives. She was able to access the information because she worked for the Child Tax Credit department. Gillett was jailed for 18 weeks at Preston Magistrates Court, Lancs, after pleading guilty to a charge of wrongful disclosure of HM Revenue and Customs informatio.”
The Telegraph reports that “young women fleeing forced marriages are being betrayed by GPs and benefits staff who “collude” with families to return them against their will, a senior police officer police has revealed. Doctors and Job Centre workers are breaching confidentiality rules and passing on vital information to families, allowing them to trace and punish Asian women who are attempting to escape coerced marriages and “honour”-based domestic violence.”
Zdnet reports that “HM Revenue & Customs has had to discipline over 600 staff since 2005 over data-protection incidents, according to Treasury financial secretary Jane Kennedy. Kennedy revealed on Wednesday in a written answer to parliamentary questions that 238 staff were disciplined at HM Revenue & Customs (HMRC) in 2005, dropping to 180 in 2006 and 192 in 2007. The figures were revealed in answer to a written parliamentary question by Conservative MP James Brokenshire. … Kennedy also revealed in answer to written questions from other MPs that, since 2005, HMRC has had 11 data-security incidents that have been serious enough to be reported to the data-protection watchdog. “Since April 2005, HMRC has discussed 11 data-security incidents involving customer information with the Information Commissioner’s Office as a matter of good practice and to ensure appropriate lessons are learned from such incidents,” said Kennedy.”
The Sun reports that “A ruthless rapist found victims by getting a job as a care worker and trawling a council’s database for vulnerable young girls. Simeon Kellman, 43, used computer records to identify teenagers who had just come out of the foster care system. Then he forced his way into their homes and attacked them. Kellman has just been jailed for eight years for the vicious rape of an 18-year-old, who was blindfolded and bound.” The Met police say “Further investigations revealed that Kellman had accessed information concerning the woman on the council database more than 30 times.” (I posited this risk existed in an article on NHS medical records.)
The BBC reports that “Two brothers have been found guilty of manslaughter after a row over a parking space spiralled into a revenge attack. Bernard Gilbert, 79, died minutes after a brick was thrown into his home in Spondon, Derby, on 28 January 2007, Nottingham Crown Court was told. … The trial heard that Mr Gilbert had been involved in a dispute over a parking space at Asda with Zoe Forbes, 26, four days before his death. The court heard how Mark Forbes then plotted a revenge attack and traced Mr Gilbert’s address through a then-serving police officer. The officer, Stephen Smith, has since resigned and was fined £1,200 under the Data Protection Act.”
Civitas reports that “criminal misuse of officially private but widely accessible personal information is an increasing occurrence. The Centre for Social Cohesion’s recent report, Crimes of the Community, documented several instances when young women have fled honour-based violence in the family home, only to be tracked down via informal family networks spanning taxi services, the police and civil servants often using national databases used by public sector workers.”
The Times reports on a form of identity theft involving a phantom tenant taking out a mortgage on someone else’s property using information taken from the Land Registry’s website.
The BBC reports that “Patients’ confidential medical records are regularly being accessed by people who have no right to them, research by the BBC has revealed. Figures obtained under the Freedom of Information Act reveal that in the last year there have been several data security breaches in the West. [of England, I think.]”
The BBC reports that “Two former policemen have been jailed for hacking into computers while working as private detectives. Ex-Met officers Jeremy Young and Scott Gelsthorpe even tried to hack into the New York Stock Exchange. They received 27 months and two years respectively. Three former Staffordshire officers were jailed for unlawfully accessing the police national computer. ” The article does not make it wholly clear that some of them were serving officers when the offences were committed.
The Belfast Telegraph reports that “Cops probing suspected leaks of medical records at a top Ulster hospital believe they may be linked to the intimidation of witnesses in a loyalist terror case.”
The BBC reports that “A police officer who sold secrets to a private investigator has been jailed at Southwark Crown Court for 15 months.”
PC Pro reports that “In 2005, PC Pro revealed how computer evidence used against 7,272 people in the UK accused of being paedophiles had been founded on falsehoods (see issue 130, p152). The misleading evidence, which claimed that every userof a Texas porn portal had to click on a banner advertising child porn to access illegal websites, was withdrawn last summer. “It’s specifically not alleged that [the accused] would have…seen a banner saying ‘ClickHere Child Pom’,” a British court was told. The climb-down came too late for many;between then and now, the death toll of those who have killed themselves under pressure of theinvestigations in “Operation Ore” has risen from 33 to 39. Hundreds of police raids across Britain found no evidence that many suspects possessed, or were even interested in, child pornography. Because of the huge volume of computers and disks seized for examination, police high-tech crime capabilities were reportedly crippled for vears. Now, PC Pro can exclusively reveal that not only did police evidence in Operation Ore pretend users had asked for “child porn”, but that many of the Britons who have been publicly branded dangerous paedophiles were merely victims of systematic credit card fraud – some of it run by a Mafia crime family – and had never subscribed to the websites.” (Also see the Guardian and Light Blue Touchpaper.)
The BBC reports that “The number plate system needs to be completely overhauled to beat a rise in “car cloning”, police have said. … Tony Bullock’s car was cloned even though his plates were not physically stolen, and he was threatened with prosecution after “his” car was repeatedly caught speeding in Leicester.” He said: “It was horrendous. You are guilty until you can prove you’re not. It’s the first time that I’ve thought that English law is on its head.”
The BBC reports that “Members of an international gang who made £4.5m selling luxury cars stolen in violent attacks have been sentenced. … DVLA official … admitted corruption in a public office and was sentenced to 200 hours community service.”
The Register reports that “The Foreign and Commonwealth Office (FCO) has closed its online service for visa applicants from India while it investigates a security breach that made the personal details of visa applicants available online. … The security hole was originally reported to both VFS and the British High Commission more than a year ago but no action was taken. … VFS’s online service could apparently be subverted by making changes to its URL – doing so gave a browser access to the firm’s database of visa applicants, which stored passport numbers, names, addresses, and travel details. … VFS also processes online applications for UK visas from Nigeria and Russia. The FCO could not confirm whether the same problem occured in the systems operating in these countries as well, but did say that their sites had been closed down.”
The Guardian reports that “A private investigator used by companies chasing vehicle hire purchase and bank debtors was convicted at Kingston magistrates court in south-west London. Nicholas Munroe, 32, of west London, conned civil servants into giving home addresses of more than 250 people over the phone. He was convicted of 44 offences of stealing and selling private data in a prosecution brought by Richard Thomas, the information commissioner, and fined £3,200 plus £5,000 costs.” [annual turnover of £100,000! – ukliberty].
Outlaw.com reports that “High street banks are throwing customer information into bins outside their premises in breach of the Data Protection Act, according to privacy watchdog the Information Commissioner.”
The Law Gazette reports that “The Department for Constitutional Affairs (DCA), the Crown Prosecution Service (CPS) and the Courts Service have never fully checked their compliance with the Data Protection Act – despite the legislation being in place for more than six years. According to documents obtained by the Law Gazette under the Freedom of Information Act, neither the DCA, the CPS nor the Courts Service has ever done a full audit as to whether they correct or maintain personal information in accordance with the law.”
The Mail on Sunday reports that the DVLA sells data without consent to convicted criminals.
The Guardian reports that “Investigations by [ICO] staff and police had uncovered “evidence of a pervasive and widespread ‘industry’ devoted to the illegal buying and selling of [personal] information.”” (see also What Price Privacy?, the BBC, and SpyBlog).
The Register reports that “the CRB has not used its new powers to strike off any new agents who had broken the law by discriminating against ex-offenders. In the twelve months to 1 April 2006, the CRB upheld 2,273 complaints by people about disclosures the authority had made about them. Not only are those private organisations requesting the checks abusing the system, but the CRB itself is arguably in breach of the law by making the checks on their behalf.”
The Register reports that “security at the British Home Office’s Identity and Passport Service (IPS) database has been compromised four times, with individuals’ data used inappropriately by Home Office employees and contractors. A fifth breach has hit a Prison Service database.”
Zdnet reports that “The Home Office has admitted that the security of its ID and passport service database has been compromised several times, but denied that remote hackers were responsible. In a response to a parliamentary question at the end of last week, the Home Office said it had had five security breaches in five years, mostly caused by civil service staff. “The security breaches didn’t involve people hacking into the systems,” a Home Office spokesperson told ZDNet UK on Thursday. Four of the five incidents involved members of staff accessing the ID and Passport databases for unauthorised purposes. Three used their systems access privileges to conduct checks that were “not connected to their duties”, according to an ID and Passport service spokesman, while in the other breach the staff member “misused data he was entitled to access”. … The fifth security breach occurred in a prison service legacy system, where a “technical failure” caused the system to crash. The system has since been replaced, according to the Home Office.”
Personnel Today reports that “Thousands of people have been subjected to illegal background checks when they applied for jobs that did not require vetting, according to a report on the Criminal Records Bureau.” Also reported by the TImes.
The BBC reports that “Some 2,700 people have been wrongly labelled as criminals by the Criminal Records Bureau (CRB). The mistakes have led to some people being turned down for jobs.”
The Guardian reports that “Two national newspapers paid to receive confidential information from the police national computer, a court heard yesterday. Articles from the Sunday Mirror and the Mail on Sunday were used in evidence against two former police employees and two private investigators charged with offences involving the sale of police information to the press. …Two private investigators, John Boyall and Stephen Whittamore, civilian police worker Paul Marshall, and retired police officer Alan King, were involved in a conspiracy to sell details relating to actor Ricky Tomlinson, London Mayor Ken Livingstone and EastEnders actress Jessie Wallace. According to reports, on 19 occasions, Marshall, who worked at Wandsworth Police Station, carried out unauthorised Police National Computer searches and passed the information on through intermediaries King and sometimes Boyall, to Whittamore, who peddled the data to the newspapers.”
The BBC reports that “Two council CCTV camera operators have been jailed [for four and two months respectively – ukliberty] for spying on a naked woman in her own home.” The Judge said, “You only have to read the impact statements of the lady to realise the harrowing effect that this had on her. Her life has almost been ruined, her self-confidence entirely destroyed by the thought that prying male eyes have entered her flat.””
Personnel Today reports that “Employers that abuse the Criminal Records Bureau (CRB) disclosure service could be banned from carrying out any checks on job applicants when new regulations come into force in April this year.The move would be disastrous for frequent users of the disclosure service, such as NHS trusts, local authorities and the voluntary sector. It raises the potential of recruitment freezes or the illegal employment of workers who have not been CRB checked.”
Personnel Today reports that “Ex-offender charity Nacro has called for the introduction of a new licensing authority to stamp out discrimination resulting from criminal record checks. A report released today calls on the government to take urgent ssteps to reform the way people with criminal records are treated in the labour market, by introducing an independent licensing authority which would hold ultimate responsibility for clearing people for employment. The report – Getting Disclosures Right: A review of the use and misuse of criminal record disclosures – highlights how, under the current system, people who are not a risk to children or vulnerable adults are being refused employment, suspended and dismissed on the basis of wholly irrelevant cautions or convictions. It uncovers widespread discrimination against people who have a criminal record – even where the nature of their offence means that they would pose no risk – across the public, voluntary and private sector.”
Personnel Today reports that “Employers in the NHS are breaking the law by making illegal background checks on all new staff, not just those who have access to patients, Personnel Today has learned. For jobs in the NHS, Criminal Records Bureau (CRB) checks, or disclosures, are only supposed to be requested for posts that allow access to patients “in the course of normal duties”, such as nurses, midwives and porters.”
Conservative MP Paul Goodman makes a speech to the Commons about a Helen Wilkinson, who “discovered that the University College London Hospitals trust had sent computer records of every hospital medical treatment that she had ever received to a private company, McKesson, which holds a mass of NHS records. Those records are then passed on, as Helen’s were, to computer systems used by the NHS. Helen’s records thus became available to several NHS bodies, such as the Thames Valley strategic health authority, Wycombe primary care trust and so on. Helen asked to see her records under the Data Protection Act 1998, as she is fully entitled to do, and she discovered when she examined them that there was a serious mistake in them. She was effectively and, I repeat, mistakenly, registered as an alcoholic. Helen resolved, given her anger about the mistake, her concern about the many people who have access to even the correct parts of her record, and her anxiety about the even larger number who might well have access to it as the NHS computerisation programme proceeds, that she wanted her records removed from NHS systems altogether.”
The Guardian reports that “The Home Office has been forced to apologise to 10 men placed under controversial anti-terrorist control orders after it linked them to the ricin plot in London, the Guardian has discovered. In an embarrassing letter to the men, the government claims that it made a “clerical error” when it said the grounds for emergency restriction imposed on each of the alleged international terrorists was that they “belonged to and have provided support for a network of north African extremists directly involved in terrorist planning in the UK, including the use of toxic chemicals”.”
An Observer article about so-called ‘honour killings’ says, “‘Jack and Zena ended up in Grimsby, where someone at the DSS leaked their whereabouts; three men turned up at the office claiming to be Zena’s brothers and demanding to know her address.”
The BBC reports that a DVLA employee sold data to animal rights extremists.
The BBC reports that “A police officer has been jailed for two-and-a-half years for accepting money to pass on information to a Saudi Arabian intelligence officer. … Roger Smart, prosecuting, said: “Ghazi Kassim conducted research into private individuals using confidential databases held by the Metropolitan Police.””
The IPCC issues a press release that says, “Failing to collect, retain and pass on material to others to protect children and other vulnerable people is a misconduct issue as much as the misuse of PNC data which has been a consistent problem during the last 20 years – and still poses a challenge today for the new IPCC. The types of cases in which abuse occur include using the PNC to gain evidence for civil proceedings, to find evidence about a partner’s estranged husband, or to check out a daughter’s latest boyfriend. There is also the perennial problem of data being sold to private detectives.”
The BBC reports that “A major security alert began at an east London police station when two workers used its criminal database to check up on their boyfriends [and their associates and family members], a court heard.”
The BBC reports that “Dissident republican paramilitaries used medical records at a Belfast hospital in an intelligence gathering operation, the police have said. It is alleged the Real IRA was using records at the Royal Victoria Hospital to target members of the Policing Board, district policing partnerships, politicians and police officers.”
The Telegraph reports that “The Inland Revenue has reprimanded, fined or sacked 765 of its own staff in the past three years for violating the Data Protection Act or misuse of computers. The offences, which include selling celebrities’ tax records to newspapers and visiting “illegal” pornographic websites, have come to light after an investigation by Tax Relief, a campaign group set up to highlight disputes between the taxman and members of the public.”
The BBC reports that “Inland Revenue staff have breached the Data Protection Act by checking out the tax affairs of celebrities, it has emerged. More seriously, the Revenue said it believed there was some “evidence” that privileged tax information had been sold onto outside agencies by staff. Personal tax records may also have been used “maliciously” to shop ex-spouses to the Child Support Agency, it said.” Also reported by the Independent.
2000 and before
Shirley McKie “was accused of leaving her fingerprint at a crime scene and lying about it. This all happened in the line of duty when she was part of a police team investigating the vicious murder of Marion Ross in Kilmarnock, Scotland. Shirley testified as a crown witness at the trial of David Asbury accused of the murder. Asked about the crime scene she stated that she had not been in the murder victim’s house even although 4 experts from the Scottish Criminal Records Office (SCRO) had identified a ‘thumbprint’ from the house as hers. … All experts from abroad who testified in court and others later invited by the Scottish investigating authorities to study the print [171 experts in all – ukliberty] have clearly stated, and demonstrated, that the latent from the crime scene definitely did not come from Shirley McKie. … the experts and their supervisors, including Police and Crown Office, continued to maintain that they were right in their identification and that it was merely ‘a matter of opinion..'”
Links that are no longer functional (and can’t be updated / substituted as of writing)
The Guardian reports that “Some 130 medical staff have signed a letter calling for a police probe into internet security breaches concerning junior doctors’ personal details.” (I think this related to the official website that inadvertantly made all their details public.)