INTRODUCTION

  We present two further recommendations to the Home Affairs Select Committee in relation to privacy and the draft ID Card Bill. This is to offer assistance to the Committee if it decides to support the introduction of the ID Card but is nevertheless concerned to recognise the inherent privacy dangers of this step. As with our previous submission, our views do not represent the views of the law firm which employs us, and we have no objection to our views being published.

  Our two recommendations to the Committee are:

1.  We invite the Committee to agree with the conclusion of the Fifth Report of the Select Committee on Culture, Sport and Media (session 2002-03; HC 458) into Privacy and Media Intrusion, that the time has come for Parliament to ask Government to bring forward proposals, following consultation, for the enactment of a right to privacy which is accessible to all citizens. We believe that if an ID Card is to be introduced, then the establishment of an effective, accessible and strong right to privacy should be essential pre-requisite. We think that the Data Protection Act should form part of that consultation as it can be the vehicle to implement that right.

2.  We invite the Committee to conclude that the system of supervision associated with statutory codes of practice, national security and certain law enforcement agencies, is fragmented and needs to be restructured on different principles. The restructuring of this supervision could form part of the consultation process identified above.

Preamble to the two recommendations

  The driving force behind these two recommendations is that in the post 9/11 era, there has been a shift in the balance between the need of the state to interfere with private life in order to respond to a real terrorist threat and the needs of the individual to understand that the state will normally respect his private and family life and his correspondence.

  Although the needs of the law enforcement agencies have been "joined up" in a series of legislative steps (eg Anti-Terrorism, Crime and Security Act 2001; Civil Contingencies Bill, Regulation of Investigatory Powers Act 2000, Terrorism Act 2000), the privacy protection afforded to the public by way of data protection legislation still languishes in a state which was established in the late 1970s. All European data protection legislation, including those which enact the Data Protection Directive (95/46/EC), gain their authority from Council of Europe Convention No 108, agreed in 1981. We believe that data protection legislation needs to be refreshed to take account of the post 9/11 political reality, and that the establishment of a right to privacy should be an inevitable outcome of this process.

  Since the 1980's, a number of technological innovations have facilitated mass surveillance of the population by law enforcement agencies. The introduction of CCTV cameras in city centres, the retention of all communications data for a year under the Anti-Terrorism, Crime and Security Act, the retention of everybody's financial transactions in the name of money laundering are all recent examples of keeping records on everybody in order to trace those who would damage society.

  The current ID Card Bill requires all UK citizens to register a range of details about themselves and the database will include an audit record of all public and private services used by each citizen. This is yet another example of the retention of records about everyone for years in case they are needed by the authorities.

  The principles underpinning data protection legislation need to be refreshed in the light of these technical developments available to certain authorities. We consider that the integration of Article 8 ECHR which explicitly calls for respect for a citizen's private and family life and correspondence (Schedule 1 to the Human Rights Act) into the Data Protection Act 1998 would establish a right to privacy in a way which the Culture Select Committee recommended.

  Finally, in an era where the potential for mass surveillance exists, we consider that an explicit right to privacy is essential to the health of a democracy—for if there is no private space to develop a dissenting political thought then the involvement of citizens in the democratic process can be diminished.

  In this context of the development of a healthy democracy, there is little point in developing policies which improve the political accountability and transparency of public authorities if at the same time there develops a perception that those who challenge the political orthodoxy are somehow the subject of surveillance and suspicion. We believe that a right to privacy sends an important message to all UK citizens which will ultimately strengthen democratic structures: namely that it is legitimate to engage the political system with the objective of changing any established government policy.

SUMMARY COMMENTARY IN RELATION TO EACH RECOMMENDATION

  1.  We invite the Committee to agree with the conclusion of the Fifth Report of the Select Committee on Culture, Sport and Media (session 2002-03; HC 458) into Privacy and Media Intrusion, that the time has come for Parliament to ask Government to bring forward proposals, following consultation, for the enactment of a right to privacy which is accessible to all citizens. We believe that if an ID Card is to be introduced, then the establishment of an effective, accessible and strong right to privacy should be essential pre-requisite. We think that the Data Protection Act should form part of that consultation as it can be the vehicle to implement that right.

  The Culture Select Committee came to its recommendation for a privacy right largely because of the actions of a few celebrities (eg Catherine Zeta-Jones, Naomi Campbell), who possessed the necessary financial wherewithal to fund actions through the courts. The Committee argued that such actions would eventually result in judge-made privacy law based on the factors surrounding these celebrities and not in relation to the ordinary person in the street. The Government, in its formal response to the Committee, dismissed this recommendation citing the existence of the Data Protection Act as providing general privacy protection, and the lack of evidence that the courts were reaching an incorrect balance between Articles 8 and 10 of the Human Rights Act (ie private life versus freedom of speech).

  We think the Culture Committee's recommendation is necessary on different grounds—for instance in relation any legislation introduced on the lines of a draft ID Card Bill. This is because we have shown that when Ministers take wide-ranging powers, as they do in this Bill, then the Data Protection Act affords little privacy protection. Secondly, we think that a system whose only source of protection lies via the courts is inherently imbalanced: on the one side will be the citizen taking considerable financial risks in taking a case to court and on the other side will be a powerful public authority with access to the public purse. In these circumstances, we believe that the ordinary citizen would be unlikely to risk the costs of defeat in a Human Rights case—or indeed action via the Courts in relation to any tort of privacy—if one were created.

  We think that the Sixth Principle of the Data Protection Act could be amended easily to achieve a privacy right, accessible to the ordinary member of the public, and which can take into account the special interests associated with the press. In our earlier submission, we showed that the first five Data Protection Principles were largely negated by the draft ID Card Bill; however a specific amendment to the Sixth Principle (unaffected by our analysis) could go a long way to redress the inability of the Act to gain purchase in relation to the ID Card Bill.

  For instance, instead of a Sixth Principle which states "Personal data shall be processed in accordance with the rights of data subjects under this Act", we could have "Personal data shall be processed in accordance with the rights of data subjects under this Act and in particular, any processing of personal data shall respect the private and family life and correspondence of each data subject". We also believe that other elements in the Data Protection Act need strengthening. For instance, the Information Commissioner should be able to name and/or prosecute public bodies who breach the Data Protection Principles. However, the detail of such points is for another occasion.

  Although we believe that the Sixth Principle is a vehicle which can be used to establish a privacy right, we do recognise that a privacy right would be a new concept which should not be introduced without the widest possible consultation. Hence our link to the Culture Committee recommendation which calls for such a consultation before implementing any right to privacy.

  2.  We invite the Committee to conclude that the system of supervision associated with statutory codes of practice, national security and certain policing agencies, is fragmented and needs to be restructured on different principles.

  We start from the position of assuming that the Home Secretary will ensure that procedures in relation to access to the ID Card's central database of registrable facts will be codified in some way in a formal document. We call this document, for convenience, a Code of Practice.

  We are of the opinion that there is a major structural problem in relation to privacy protection which arises from the fact that every Secretary of State has a conflict of interest between his or her Departmental responsibilities and the content of any Code of Practice which deals with privacy protection. For instance, in relation to the ID Card Bill, the Home Secretary who is aiming to protect privacy is also largely responsible for the public bodies (police and security services) whose job involves interference with private life. Indeed, the conflict of interests makes it difficult for the Home Secretary to adopt particular privacy proposals, if this step ran counter to the advice of his Chief Constables.

  This structural deficiency is common to all regulations/Codes of Practice/data sharing protocols produced by any Secretary of State. This is the main reason why the Lindop Committee on Data Protection (Cmnd 7341, 1979) recommended that Codes of Practice should be produced by an independent Data Protection Authority for the approval of the Secretary of State. We think that a review which includes consideration of the right to privacy ought also to consider remedies for this structural imbalance.

  The processing for national security purposes is largely exempt from the Data Protection Act by virtue of Section 28 and since the 1980's there has developed a number of Commissioners and Tribunals who could be involved in the protection of privacy (eg Interception of Communications Commissioner, Intelligence Services Commissioner, Investigatory Powers Commissioner for Northern Ireland, Chief Surveillance Commissioner, Security Service Commissioner and related Tribunals for each Commissioner). The ID Card Bill adds to this plethora of Commissioners by proposing an ID Card Commissioner. This list, of course, excludes the Information Commissioner and his two Tribunals, one of which deals with national security issues.

  In this regard, we note that the Annual Reports of the Commissioner established by the Interception of Communications Act 1985 record the number of cases heard by the Interception of Communications Tribunal (which is very similar to the Interception of Communications Tribunal established under RIPA). Between 1996 and 2002, there were over 400 cases considered by the Tribunal set up by the 1985 Act and none have been adjudicated in favour of the complainant. This enviable 100% record in perfection is echoed in a similar 100% finding in relation to complaints to the Tribunals which monitor the Security and Intelligence Services.

  Supervision of secret services is not a new problem. The Lindop Committee on Data Protection (paras 23.20 and 23.21) recognised this and stated that:

"the proper discharge of the duties of the security services entails a dilemma. If the job is to be done properly, it must necessarily be done in secret, If that is so, it can never come under public scrutiny".

  The report continued:

"This leaves the security services in a hermetic compartment where they can never discuss their problems with anyone outside their own tight community. Thus, they are not open to the healthy—and often constructive—criticism and debate which assures for many other public servants that they will not stray beyond their allotted functions".

  We are not in a position to judge whether the national security agencies have strayed, or whether a diverse array of Commissioners and a 100% track record is a credible system of protection for the individual against the misuse of data by all these national security agencies.

  However, our view is that the whole system of supervision of national security agencies, established in the time when the main threat was from the Soviet Bloc, needs to be fundamentally restructured on different principles, and rationalised. This is particularly necessary in view of the fact that these agencies are expanding their capacity to monitor the terrorist threat, using new mass surveillance techniques.

  We therefore believe that Lindop's suggestion that the Data Protection Authority who has a senior official who has clearance to discuss privacy issues with these special services is an idea which has merit in the post 9/11 era.

Dr. Chris Pounder, and Sue Cullen

Editors, Data Protection & Privacy Practice

June 2004