If a company or public organisation is holding personal or otherwise sensitive data, it is naturally to be expected that they would maintain high standards of security and data protection. This applies regardless of the context in which the data is being processed.
Of course, there are certain categories of data that carry greater risk to the data subjects concerned than others. Personal financial details, medical records and political affiliation collected by the state all come to mind. Under the GDPR, such information is considered ‘special category data.’
You could say that all forms of data are sensitive, but some are more sensitive than others.
The Prevent database
Take for example, the database of the government’s ‘Prevent’ scheme. Prevent compiles information on potential terrorist and other dangerous extremists.
The Prevent database naturally contains special category data alongside state security secrets. It also has the potential to seriously affect the lives of those whose data is being stored. There are all sorts of reasons why we would expect extremely high security standards from Prevent, and dread the prospect of a data breach.
On the 7th of October, The Guardian broke a story about this database. It claimed that it had discovered that the police were maintaining a ‘secret’ database of highly sensitive counter-terrorist information. The existence of the database was alleged to have human rights and data protection implications for the thousands of individuals suspected of being vulnerable to radicalisation listed on it.
Chief Constable Simon Cole response to The Guardian Story
Chief Constable Simon Cole responded to this news story on the 9th of October, claiming that the existence of the database was not a secret and that details had already been officially published online. He said:
‘These records can only be accessed by a small number of trained Prevent police professionals. Details would only be shared with mainstream colleagues or other agencies on request and in exceptional circumstances.’
‘Documents are regularly updated and deleted if it is no longer necessary or proportionate to keep them.’
It is significant to see a public authority quoting what essentially amounts to the Prevent data protection policy in response to media queries. No doubt a Prevent DPO was consulted before this statement went to press.
Where not only data protection rights, but also national security are at stake, it is reassuring to hear that sound data protection protocols are being observed. This is a case where even the publicly-known existence of a database carries risks.
If you have any questions about the data protection policies, please contact us via email team@datacompliant.co.uk or call 01787 277742.