Data on thousands of Scots that has been deleted from a controversial Police Scotland database over privacy concerns may still be kept by other Scottish public bodies – and there is no way for the people affected to find out.
It was reported by the BBC last month that records of about nearly 500,000 people had been deleted from the police Vulnerable Persons Database (VPD) since a new ‘weeding’ process was introduced last year.
The VPD was found in breach of the Data Protection Act by the Information Commissioner in 2017 because there was no procedure in place for removing information that was no longer relevant.
The database was set up by police in 2013 and became controversial after it emerged that it held the information of around one in 13 Scots who police considered “vulnerable”, while as many people again were included on the basis of being associated with the vulnerable individual.
This meant that at one point were more than 800,000 people on the police list.
Most people on the database are not aware of being on it, and would need to submit a formal request to Police Scotland, called a Subject Access Request, to find out.
Police Scotland also share information about people on the VPD with other public bodies such as council social work and education departments, the Crown Office and Prosecution Service, and the Scottish Children’s Reporter Administration.
Under the new procedure introduced last February, records are now removed from and added to the VPD on a continuous basis, with records moved to the “no concern” category deleted after six months.
But now Police Scotland has told The Ferret that statutory bodies which receive data from the database are not notified when records are removed.
The Police Scotland response to an FoI request also confirms that, once records are removed from the VPD, Police Scotland no longer tracks information on how many were passed to other organisations, which means it has no oversight of how it continues to be used.
If an individual’s data recorded by police is passed to other public bodies before being deleted in compliance with data protection regulations, this means the information can still be held by those bodies without the individuals’ knowledge.
Critics argue that a review of the current process is needed in light of such “inconsistencies”, and have raised concerns about ethical standards and the protection of civil liberties.
But Police Scotland chief inspector James Davenport said there was “no requirement for Police Scotland to notify external bodies when information is weeded from police systems”.
He added: “Police Scotland retains responsibility for information held on police systems and our weeding and retention policy applies to information we hold.
“Once information has been shared with an external agency we are no longer the controller of that information. The external body becomes the data controller for the information they receive.”
Davenport also noted that Police Scotland has a statutory obligation to share information regarding “a child or an adult who may be in need of protection, or at risk of significant harm” or when a broader assessment indicates that someone may need “additional support or early intervention and/or advocacy to protect them from harm”.
The Information Commissioner’s Office confirmed that under the General Data Protection Regulation (GDPR), data shared externally falls under the retention policy of the third party.
However, data campaigners and experts believe that, given the concerns with the controversial VPD, police should have sought to communicate with its data sharing partners.
Digital rights campaigners Open Rights Group raised concerns about the VPD over a number of years, arguing that many of those classified as of “no concern” should never have been included on the database.
Some people have felt stigmatised by being labelled “vulnerable”, and that the size of the database raised questions about Police Scotland’s data handling processes. There is no equivalent database in England, Northern Ireland or Wales.
Speaking to The Ferret, Scotland director of Open Rights Group Matthew Rice said: “Police Scotland’s legal responsibility may end when they share the data, but given the level of concern raised by individuals who have been contacted as a result of being on the database.
“Given that we know this is a large database which has been found in breach of the Data Protection Act, there is an ethical responsibility to reach out to other public bodies that they have shared the data with.”
Rice said public bodies across Scotland should be making “greater effort” to ensure data is removed when there is no legitimate reason to retain it.
“The VPD was set up to share data so it is almost certain that individuals’ data that was deleted was shared with public bodies. It now may be too late to fix this issue, and that is a deeply disappointing outcome,” he added.
Dr Chris Pounder, a director at data protection training firm Amberhawk and member of two UK Government advisory committees on privacy and data protection, expressed similar concerns.
“Best practice, because of the seriousness of the problem, would have been for Police Scotland to alert recipients of the personal data of the deletion, where possible,” he said.
“This would leave the recipient in the position of having to decide whether they should delete the data” he said.
Pounder added that, in order for a person to exercise their right to have their data removed (which is not guaranteed if there is a legitimate reason for retaining it) someone would need to know that their data had been on the VPD, had been deleted, and that it was shared with another body, and then raise the issue with that organisation.
“The people who know can chase it up, but the people who don’t can’t do anything,” he said.
The concern of those questioning the process is that this may be the case for significant numbers of people due the absence of communication.
Scottish Labour justice spokesperson James Kelly MSP said that “a review of the current process is needed to ensure the procedure for deleting data is consistent and fair to all”.
He continued: “The processes for holding and then deleting information from the Vulnerable Persons database should be clear. It is a concern if inconsistencies are arising between data being deleted by Police Scotland and records held by organisations with whom the data had been shared.
“This data is sensitive and it is important that civil liberties are not being compromised. A review of the current process is needed to ensure the procedure for deleting data is consistent and fair to all.”
Scottish Liberal Democrat justice spokesperson Liam McArthur MSP said: “As Scottish Liberal Democrats have highlighted in the past, Police Scotland are in charge of vast databases of highly personal information. Given its sensitivity, it needs to be held under the strictest of conditions. They need to be on top of their responsibilities.
“Privacy campaigners are right to be keeping a careful eye on how shared data is being used and retained and I hope this encourages Police Scotland to reflect on whether their current procedures are working.”
You can find out how to submit a Subject Access Request by taking our free Using Your Personal Data Rights online course.