Organisations obstructing access to personal data

It found serial malpractice and obfuscation on the part of organisations when citizens seek clarification of what these organisations know about them. The study is part of the IRISS (Increasing Resilience in Surveillance Societies) project, funded by the European Union and documents the actual experience citizens have when trying to use the law to access their data.

The study, led by the University of Sheffield, investigated 327 organisations across the public and private sector, in Austria, Belgium, Germany, Hungary, Italy, Luxembourg, Norway, Slovakia, Spain and the UK.

European and national laws give citizens the right to know how their personal data is used, shared and processed by private and public sector organisations. The researchers found that what should have been a straightforward process was complex, confusing, frustrating and, in the end, largely unsuccessful. The organisations’ sites were chosen based on socio-economic domains in which citizens encounter surveillance on a systematic basis – they were health, transport, employment, education, finance, leisure, communication, consumerism, civic engagement, and security and criminal justice.

Professor Clive Norris, a specialist in the sociology of surveillance and social control from the University of Sheffield, led the study.  He said: “We are selectively marketed to, our locations are tracked by CCTV and automated licence plate recognition systems and our online behaviour is monitored, analysed, stored and used. The challenge for all of us is that our information is often kept from us, despite the law and despite our best efforts to access it.”

The right of access is generally exercised by submitting an access request to a nominated data controller but, before this can begin, the data controller must be located.  The research across the sites found that, in a significant minority ( 20%) of cases, it was simply not possible to locate a data controller. Where data controllers could be located, the quality of information on making an access request varied enormously. In the best cases, information was thorough and followed legislative guidelines closely, but researchers said in the worst cases information was very basic, often failing to explain how to make an access request or indeed what an access request actually is.

The most reliable and efficient way of locating data controllers was on-line. In nearly two thirds ( 63%) of all cases, on-line searching provided the relevant contact details, and this was achieved in less than five minutes over half ( 61%) of the time. In the majority of cases, when contacting organisations by telephone, members of staff lacked knowledge concerning subject access requests. As a result, answers were often incorrect, confusing and contradictory. When it was possible to locate the data controller via telephone, this took more than six minutes, sometimes on premium rate lines, in over half ( 54%) of all cases. Even then, the information provided via telephone was rated as ‘good’ in only 34% of cases.

In the case of CCTV data, where researchers attended sites in person, nearly one in five sites ( 18%) did not display any CCTV signage. Where signage was present, in more than four in ten cases ( 43%) it was rated as ‘poor’ in terms of visibility and content. Only one third ( 32.5%) of CCTV signage named the CCTV system operator or data controller.