Rules for Government as a whole
The Government should give an explicit undertaking to adhere to a principle of data minimisation and should resist a tendency to collect more personal information and establish larger databases. Any decision to create a major new database, to share information on databases, or to implement proposals for increased surveillance, should be based on a proven need.
The Government should take responsibility for safeguarding the personal information it collects and should exercise this responsibility before collection takes place: when it is possible by obtaining consent for collecting and processing data, and when it is not possible by providing an explanation.
The Government should hold information only as long as is necessary to fulfil the purpose for which it was collected. If information is to be retained for secondary purposes as well as for service delivery it should normally be anonymised and retained only for a previously specified period.
Every system for collecting and storing personal information should be designed with a focus on security and privacy. This process should involve planning not only the technical aspects of access to systems but also the staff management protocols for access and information-handling.
The Information Commissioner should lay before Parliament an annual report on surveillance. The Government should make a formal response to his report, also to be laid before Parliament.
Rules for the Home Office
The Home Office should explicitly address these questions in every proposal for extending or changing its powers and functions with regard to the collection and use of personal information: in the fight against crime: where should the balance between protecting the public and preserving individual liberty lie? How should this balance shift according to the seriousness of the crime? What impact will there be on the individual and on our society as a whole?
The Home Office should not routinely use the administrative information collected and stored in connection with the National Identity Register to monitor the activities of individuals.
The Home Office should maintain plans for securing the National Identity Register databases, and contingency plans to be implemented in the event of a loss or theft of biometric information from its databases.
The Home Office should take every opportunity to raise awareness of how and why the surveillance techniques provided for by the Regulation of Investigatory Powers Act might be used, and should keep under review the effectiveness of the statutory oversight of RIPA powers.
The Home Office should ensure that any extension of the use of camera surveillance is justified by evidence of its effectiveness for its intended purpose, and that its function and operation are understood by the public.