Four out of ten or 40 percent of the European organizations, obstruct people from accessing their own data, claims a recent international research study conducted by the University of Sheffield.
The research, funded by the European Union and conducted as part of the project titled IRISS (Increasing Resilience in Surveillance Societies), investigated 327 public and private sector organizations including banks, supermarkets, finance companies, universities, healthcare providers, security firms as well as the US search engine company in Austria, Belgium, Germany, Hungary, Italy, Luxembourg, Norway, Slovakia, Spain and the UK.
The study documents the experience of citizens who tried to gain access to their data and examines the obstacles they face.
“What should have been a straightforward process was complex, confusing, frustrating and, in the end, largely unsuccessful,” the report states.
European and national laws offer citizens the right to know how public or private sector organizations use, share or process their personal data. However, the study found that organizations, reluctant to provide personal data information, made the entire data accessing process quite difficult.
The research revealed that while 43 percent of the sites did not respond adequately to the made inquiries, a further 56 percent of sites contacted failed to provide a legally compliant answer to reveal who that information was shared with. In about 20 percent of the cases, the citizens found it to be almost impossible to locate an individual controller responsible for dealing with an organization’s data responsibilities.
The surprising part was that when researchers made seven data requests to Google, the search engine giant confronted with a “number of difficulties.”
Professor Clive Norris, who led the study – part of the EU-funded Increasing Resilience in Surveillance Societies project – said, “In our view, there is an urgent requirement for policy-makers to address the failure of law at the European level and its implementation into national law. Organisations must ensure that they conform to the law.”
“In particular, organisations need to make it clear who is responsible for dealing with requests from citizens; they need to train their staff so they are aware of their responsibilities under law; and they need to implement clear and unambiguous procedures to facilitate citizens making access requests,” Professor Norris continued.
He lastly added saying that “Finally, national data protection authorities must have the legal means and organisational resources to both encourage and police compliance.”