Are UK Nightclubs Breaking Data Laws by Storing Your IDs and Fingerprints?

"Say I don't like the look of you. If I've scanned in your ID, I could ban you not only from my club but, by sharing that data, from every nightclub in London. How the fuck is that not illegal? How are there not data protection issues with that?"

Alex Proud, owner of Proud Camden, has a reputation for being a bit opinionated and gobby, but this issue – the harvesting of personal data from clubbers, which is increasingly becoming mandatory for late night venues – has him firing words out with furious, spitfire precision.

"There are moments when everyone likes to have a bit of power," he says. "But I'm not here to police society. I run a nightclub. It's ludicrous that I'd be given that sort of power, and society doesn't want me to have it."

Alongside CCTV and hefty security teams, Proud Camden – like many other clubs and bars across the UK – has been required to install ID scanning equipment, allowing bouncers to check for age and ensure no undesirables are admitted entry. Sold to us in the name of easier access, in some venues you can now expect to be fingerprinted, too; the full airport immigration experience.

But buzz-killing aside – and this shouldn't be shrugged off; why the hell do we go out in the first place if not to escape the rules and constraints of daily life? – there are serious implications to the amassing of yet more private data. We should be asking questions. Who agreed that clubs and private technology firms should be allowed to collect all this information about where we hang out at night?

The UK's biggest provider of ID scanning equipment for clubs and bars, IDScan Biometrics Limited, claims to have the largest private ID library in the world, and its database includes passports, visas, ID cards, driving licenses, utility bills and work permits. The system can check NHS numbers, the electoral role, telephone numbers, National Insurance numbers, sanction lists and "politically exposed persons" lists.

By joining Safer Clubbing at Night Network (SCAN NET), clubs and bars can share data with each other. Should you be banned from one bar, the bouncer can spread your details across the network and the party is over for you at every venue in town. Some venues use different scanning systems so, if you go out a lot, your details may have been uploaded to several databases.

Despite having more than 5,000 of its scanning machines in deployment, when I call IDScan Biometrics Limited I'm told it's only a small company and that there's no one who can speak to me. My subsequent emails to the company's operations manager are ignored.

Local licensing officers, who have almost invariably been behind the arrival of the system, are more willing to vouch for its success. It's a scheme with which the police work closely, requesting crime-related data gathered by clubs and, in return, feeding back information on offenders. In the six months following the implementation of SCAN NET in Watford last year, violence was down 14 percent and thefts by 57 percent, according to the council. However, no independent national assessment has be carried out.

Best practice for the use of the ID scanning equipment has been laid out by the Information Commissioner's Office (ICO) and includes the recommendation that data be deleted after a suitable period of time. Likewise, the Data Protection Act requires that information is kept "for no longer than is absolutely necessary". However, club owners I spoke to were hazy about the requirement. Some told me data "sits there forever", others thought it was six months, three years. One said he keeps "as much information as possible, indefinitely". Some told me they store the data themselves, others that it's saved, encrypted, on the servers of companies like IDScan. Given that many venues use the data for marketing purposes, it's obvious that some of your information will be kept long-term.

"Sussex Police is aware that IDScan is compliant with the Information Commissioner's guidelines," Sergeant Simon Morgan, licensing officer for the West Sussex police told me. "This particular company provides its own guidance to customer companies, who themselves become data controllers of their own systems. The guidance is that signs should be visible stating that ID scanning is a condition of entry and that the information is secure and is 'weeded' regularly. Concerns about data protection regarding individual cases should be directed at the data controllers at the venues."

Technology lawyer Dai Davis of Percy Crow Davis & Co is wary, telling me that data protection laws are routinely flouted and notoriously unenforceable.

"To abide by data protection legislation, collection of data has to be proportionate and, in my view, I don't see how anyone can possibly justify keeping your passport details just because you want to enter a nightclub," Davis says. "Whether most nightclubs have the ability to secure data securely is highly doubtful."

While many bars and clubs I contacted declined to comment on their use of fingerprinting and ID scanning, reactions from the others are mixed. Several bar owners pointed out that big time wrong'uns probably have several IDs anyway, so the scheme will only ever catch small-fry. Others said the system was helpful, acting as a deterrent for thieves.

"There are huge gaps in the law around the use of this equipment," I'm told by Brixton's Dog Star. "We've had to put our own data protection safeguards in place."

A spokesperson for Corporation club in Sheffield, who asked not to be named over fears of upsetting the police, said the technology's use is limited.

"If someone presents you with a Bangalore license, which you might not recognise, it tells you what it is. What it doesn't do is check to see if it's tampered with, and most people who sneak in will use someone else's ID, so it is a genuine ID. The whole thing's a bloody waste of time if you ask me."

§

Waste of time or not, this database is growing and your data is a valuable commodity, worth big money on the black market. The ICO suggests restricting which members of staff can access the database, but this is left to the venue's discretion. Even without data being hacked or sold, there's still the possibility of discrimination and personal safety issues around having your address so easily accessed. Despite this, there's been relatively little fuss as the scheme rolls out across the country, and, beyond the data protection issues, something wider is at stake.

The seed for this particular criminalisation of drinkers and clubbers was sown in 2010 with The Licensing Act 2003 (Mandatory Licensing Conditions) Order 2010, which can require venues to ask patrons for identification.

"In other words, at the same time as the government was making a fanfare about repealing Labour's ID Cards legislation, they were creating a special case of requiring the production of an official ID," says Guy Herbert of privacy group NO2ID. "Not proof of age, note, specifically 'identification'."

National ID cards were rejected with vehemence by the public, but we're getting used to something similar without even realising it. Biometric and ID data-harvesting is by no means exclusive to clubs; the tracking and monitoring of our every movement is becoming entrenched in daily life.

"It's ironic," says Alan Miller, who  ​recently closed down his bar on Brick Lane under siege from prison-level security requirements by licensing committees. "On the one hand, the public are all being treated as potential criminals; on the other hand, the same public are compliantly handing over their IDs and fingerprints."

With no public consultation on the issue and a lack of clear national protocol on how information is gathered, stored and used, it's tragic that we'd also allow our nightlife to come under this level of surveillance. Of course, violence or harassment shouldn't be tolerated anywhere, but most youth movements have come heavily dusted with a certain amount of bad behaviour. Sanitisation is a death knell to creativity.

An extensive database of highly sensitive information is now in the hands of nightclub owners and the private tech companies that do very nicely from this outsourcing of police work. No one knows what uses this data might one day have, but, as you stand in line waiting to be searched, fingerprinted and data-harvested on your way into a club, it's worth asking yourself who the real winners and losers might be in all this.

Enjoy your Friday night.

​@frankiemullin

More stories about nightlife:

​Bass, Raves and Bulletproof Vests: The Early Days of Fabric Nightclub

​A Big Night Out at… the Worst Club Night Ever?