Almost half of organisations obstruct citizens from accessing the data that’s stored about them, a study led by the University of Sheffield has found.
The study, which forms part of a project titled IRISS (Increasing Resilience in Surveillance Societies), and was funded by the European Union, documented the experience of citizens who tried to access their own personal data. It investigated 327 organisations across Europe and the results will be of concern to freedom of information campaigners.
“What should have been a straightforward process was complex, confusing, frustrating and, in the end, largely unsuccessful,” the report states.
According to the study, 43 per cent of cases involving citizens trying to request information about themselves from organisations resulted in no personal data actually being disclosed.
In addition to that, the study found that in 20 per cent of cases it was impossible for citizens to actually make a request for information about their data, due to a lack of contact details for the individual or department responsible for this.
Professor Clive Norris, a specialist in the sociology of surveillance and social control from the University of Sheffield, led the study and argued that the authorities should tackle a situation that is undermining the European Data Protection Directive and, in some cases, the law itself.
“In our view, there is an urgent requirement for policy-makers to address the failure of law at the European level and its implementation into national law. Organisations must ensure that they conform to the law,” he said, arguing that businesses must ensure they make information about who handles data and how to contact them clear.
“In particular, organisations need to make it clear who is responsible for dealing with requests from citizens; they need to train their staff so they are aware of their responsibilities under law; and they need to implement clear and unambiguous procedures to facilitate citizens making access requests,” Professor Norris continued.
“Finally, national data protection authorities must have the legal means and organisational resources to both encourage and police compliance,” he added.
Organisations studied as part of the research were from a range of sectors, including health, transport, employment, education, finance, leisure, communication, consumerism, civic engagement, and security and criminal justice. Tests took place across Austria, Belgium, Germany, Hungary, Italy, Luxembourg, Norway, Slovakia, Spain and the UK.