There’s a very interesting discussion taking place of the recent JRRT report on The Database State (pdf) over at Bill Dutton’s blog at the Oxford University Internet Institute. Dutton argues that the report “does not explain its methodology or the nature of the evidence on which the authors draw their conclusions.” There is, he argues, no explanation as to why the 46 databases analysed in the report were chosen. This has generated some misleading headlines as journalists have assumed the sample is in some way representative of all UK public sector databases (the Guardian, for example, reported that ‘Right to privacy broken by a quarter of UK’s public databases, says report’). Dutton also agrees with the Ministry of Justice that the “traffic light system”, which the report uses to grade databases according to their compliance with the European Convention on Human Rights, is not substantiated by any evidence. The reader of the report, he says, “should not be in a position that requires us to trust the judgement of the authors, based on their authority.”
Dutton’s reading of the report is challenged in the responses that follow. If journalists over-generalised from the report, then this isn’t the fault of the report’s authors who make it clear that the 46 databases analysed were chosen not because they are representative, but because they are the largest and most significant databases, namely “those systems that will at some time or another hold identifiable personal information on at least a significant minority of citizens.” The question of whether or not the evidence in the report warrants the conclusion that a quarter of the databases surveyed are illegal is of course more contentious since it requires a legal judgement based on human rights and data protection law. Douwe Korff, who advised the report’s authors, makes a convincing case that they are illegal. David Erdos, however, suggests that the report’s use of legal evidence is highly partial: “even when law/legal opinions are mentioned, the authors generally favour the most extreme findings (usually from the EU Working Party 29 Group (which has no jurisdiction to issue binding opinions even of EU law)) of the most extreme instrument (the EU Data Protection Directive – which is not directly applicable in UK law) as against a proper analysis of legal judgments made under UK law.”
It’s worth reading Dutton’s post and the careful and detailed comments that follow. From my layman’s perspective it I’d say that Duton’s main criticisms of the report are answered, but take a look for yourself.