House of Commons - Home Affairs

Select Committee on Home Affairs Fifth Report

4 What are the implications of the growth in surveillance for the individual and society?

79. In considering the factors which have contributed to a growth in the use of databases and other, more readily-recognised forms of surveillance, we have observed a tendency toward extremes in the arguments over the issues involved and the term itself. The suggestion that technology—cameras, databases of personal information including biometrics and DNA—can prevent or solve crime, secure our borders and verify our identities, stands in stark contrast to warnings about Big Brother Britain.

80. The Surveillance Studies Network acknowledges that the phrase 'surveillance society' has connotations which might promote such a polarisation of views, noting that "conventionally, to speak of surveillance society is to invoke something sinister, smacking of dictators and totalitarianism." The Network argues that the surveillance society is "better thought of as the outcome of modern organizational practices, businesses, government and the military than as a covert conspiracy".[74]

81. The Information Commissioner told us at the outset of our inquiry that "this is not a one-sided debate; this is a debate about balance and where lines should be drawn." He went on to say that there were "very clear benefits" in the use of surveillance:

We are very clear ... that each individual initiative may have very well intentioned benefits in terms of the security and the safety of the public; and in terms of improvements to public and private services providing quicker, cheaper and a wider range of benefits to the public.[75]

The Commissioner also said that "it is important to recognise that there can be risks ... to individuals ... and there can be risks to the fabric of society as a whole".[76]

82. Throughout our inquiry we asked our witnesses and other interlocutors how they weighed up the benefits to be gained from surveillance, against the potential practical risks to the individual and the cumulative risks to society of a trend towards the collection of more information about our daily lives. We discuss those benefits and risks which are directly associated with the work of the Home Office and the fight against crime below at paragraph 198.

Benefits of surveillance

Benefits to the consumer

83. We discuss above at paragraph 53 the commercial impetus to collect and store information about consumer behaviour. In using the information in order to provide more personalised services and more cost-effective marketing, commercial organisations attract more business from customers such as those who sign up to loyalty programmes, collect 'points' in return for their purchases and receive rewards, often in the form of vouchers for products or services.

84. We heard from the Finance & Leasing Association (FLA) that the use of information collated by credit reference agencies benefits the consumer in enabling lenders to:

intervene with consumers and talk to them if it appears that the consumers are ... at the tipping point ... in a situation where they have what appears to be a manageable amount of debt but may be trying to contract for too much which will take them into a situation of over-indebtedness. There are things that the lender can then do.[77]

Stephen Sklaroff of the FLA also told us that technology and the development of credit reference agencies had changed a situation in which lending decisions were made on the basis of the "immediate personal knowledge" a local bank manager had of a prospective customer and that this afforded "huge advantages to the consumer".[78]

85. Martin Briggs, Corporate Affairs Director, told us that the Loyalty Management Group collected consumer data "basically to be able to track people's shopping behaviour and to be able to market offers that they will find acceptable".[79] We asked Tesco about offers on high-fat, high-salt or alcohol products in the context of responsible lending and selling. Nick Eland, Legal Services Manager, told us that customers who bought a lot of wine might receive a wine coupon but that Tesco would never promote "tobacco or baby formula or those kinds of areas". He said that "ultimately we have to rely on our customers to make the decision in relation to the information and the offers provided to them".[80]

Benefits to the patient and public health

86. Data collected about individual patients for the purposes of administering care may have a valuable secondary use in the context of medical research and the introduction of electronic patient records has provided further scope for such research. In 2006 the Academy of Medical Sciences produced a report on Personal data for public good: using health information in medical research. The report concluded that:

The United Kingdom already has an outstanding record in this area of research. We now have the potential to become a world leader through the opportunities offered by the NHS and new initiatives to develop national electronic care records.[81]

87. Professor Carol Dezateux of the Institute of Child Health at University College, London, appearing on behalf of the Academy of Medical Sciences, listed five kinds of research which are assisted by the use of patient data:

Identification of the causes of disease (significant in terms of public health and finding treatments)

Identification of effective treatment (and the potential adverse effects of treatments)

Monitoring of public health (in terms of control of infections and epidemics) and the effectiveness of any interventions to control outbreaks

Protection of patients and the public (in terms of safety of medicines, vaccines or in relation to environmental issues)

Evaluation of health services (including comparative assessments).[82]

88. Professor Dezateux told us that the link between smoking and lung cancer, observed by Sir Richard Doll, was established by the secondary use of patient data and that this kind of data continued to form an important part of work to improve public health:

As we have gone through the whole tobacco control process, it has been informed at every stage by this kind of data, and now we are looking to using this kind of data to see whether we are getting the correct response and results to this kind of intervention, and whether there are any sectors of society that are being excluded or who are continuing, for example children, to be exposed and where perhaps we need different measures.[83]

89. Professor Dezateux argued that the introduction of the NHS electronic patient record as part of a system in which records could be linked by a single identifier, would bring about a "huge advance" in this kind of research:

One of the things it allows us to do is to be inclusive in our research so that we do not leave certain sections of the population out. It can help us get swift answers. It helps us look at areas of medicine that we are often criticised for not spending enough time on in our research: rare disorders, under-served populations. It helps us look at demographic change in a dynamic way ... what happens to mothers/parents and their children and subsequent generations.[84]

90. The Department of Health told us that holding care records on a national database would "deliver very significant benefits for safety and the efficient management of NHS services, improving healthcare outcomes for millions whilst preventing thousands of unnecessary deaths".[85]

Benefits to the citizen and society

91. The Government's Information sharing vision statement, published in September 2006, set out how information-sharing between public sector organisations and service providers had been used to deliver better public services at national and local levels, for example through:

provision of simple-to-use electronic alternatives to postal and face-to-face services such as the Driver and Vehicle Licensing Agency's re-licensing and off-road notification service for individual vehicles over the telephone and internet which links databases holding information about vehicle insurance and MOT certification with DVLA's register of vehicles.

reduction of the regulatory burden on business through the International Trade Single Window Project—the outcome of joint work by HM Revenue and Customs (HMRC), the Department for Business, Enterprise and Regulatory Reform, the Department for the Environment, Food and Rural Affairs, and the Food Standards Agency, which aims to allow UK businesses to provide standardised information once and then share the information with the main departments involved in authorising exports and imports.

more efficient and effective implementation of policy through targeted efforts based on information-sharing by HMRC and the Department for Work and Pensions, which enabled the Government to identify from income and capital information people who might be entitled to claim Pension Credit but who were not doing so.[86]

92. The Department for Children, Schools and Families told us that much of its activity depended on effective information-sharing "both at the level of Government databases, and between individual practitioners", and that this work was "central" to the Department's ability to "deliver better outcomes for children and learners". The Department listed several kinds of benefits to be gained from sharing information:

Better information sharing is crucial to safeguarding children and supporting the drive to personalise learning and to improve service delivery; it also contributes to improvements in efficiency and effectiveness, in reducing burdens on the front line, and in ensuring effective accountability. It [information-sharing] is a cornerstone of the Every Child Matters (ECM) strategy to improve outcomes for all children and for delivery of many of our reform programmes such as specialised diplomas and vocational qualifications reform.[87]

Weighing up the benefits of surveillance

93. In examining the potential gains to be made from surveillance—from the point of view of the individual and of society as a whole—we heard a range of views from those who sought to explore how these gains might be measured against the cost in terms of resources and the impact of intensifying surveillance on our daily lives. The main arguments we heard against ready acceptance of surveillance as a social good were that the benefits of surveillance should be seen in the context of the amount of personal information given up by the individual—questioning whether or not the same benefit could be achieved without some of this information—and that resources devoted to surveillance could be better deployed in other areas. We discuss the use of surveillance cameras in this context below at paragraph 201.

94. Having commissioned research on the use of databases of information about children, the Information Commissioner's Office told us that gathering more and more information about individuals could hinder rather than help Government in achieving its aims, particularly when those aims were not tightly defined. Assistant Information Commissioner Jonathan Bamford said that whilst some of its concerns about the index of all children in England, now known as ContactPoint, had been allayed as the database had been developed, the "philosophy" of the Information Commissioner's Office remained the same:

We want information of the right quality relating to the right people who really need care and concern ... where people should take seriously the responsibilities in respect of those children. The simple acquisition of more and more information does not actually mean that people make better judgments. They will become overloaded. We have certainly heard it said from those who are involved in the early child welfare issues that sometimes it is more social workers that we need rather than more information because we already have that much information we cannot act on.[88]

95. The Information Commissioner himself underlined the need to take into account the stated aim and scope of a particular database when evaluating its benefits:

the case for an index of children is very much greater for those children who are, or who are perceived to be, at risk, than is the case for a universal database of every child in the country in the more nebulous name of promoting their social and educational welfare. I think the second part is a great deal more doubtful.[89]

Risks of surveillance

Practical effects of misuse or mistakes

96. At the beginning of our inquiry the Information Commissioner outlined the risks to the individual which may be associated with "excessive" surveillance whether by means of cameras or other monitoring techniques such as the collection of information on databases. For individuals, the Commissioner told us, the risk is that they will suffer harm because information about them is:

inaccurate, insufficient or out of date

excessive or irrelevant

kept for too long

disclosed to those who ought not to have it

used in unacceptable or unexpected ways beyond their control, or

not kept securely.[90]

97. Expanding on this the Commissioner said that:

The practical risks are ... in terms of the detriment to individuals which can occur when mistakes are made, for example mistaken identity; where there is false matching and the wrong individual is identified; where there is inaccurate or out-of-date information; where there are breaches of security.[91]

The consequences of a black market in personal information

98. In two reports to Parliament, What Price Privacy? and What price privacy now?, published in May and December 2006, the Information Commissioner set out to expose and tackle what he described as "the unlawful trade in confidential personal information".[92] The Commissioner argued that as public and private sector bodies hold more and more personal information and as Government initiatives direct that such information is collected and shared centrally, the risk of security breaches by individuals engaging in this unlawful trade "inevitably" increases.[93]

99. The Commissioner told us that:

For any member of this Committee or any member of the public here I could say what the tariff is for getting your personal information ... I could say how much to get your mobile phone records; how much to find out if you have a criminal record or not; how much to get hold of your DVLA records to see who owns the car parked outside your house last night.[94]

Those willing to pay for such information include finance companies and local authorities seeking to recover debts, estranged couples with one party seeking to trace the other, and criminals seeking to perpetrate fraud or to intimidate witnesses or jury members.

100. We asked the Commissioner to recount his experience of the impact of being the victim of the trade in personal information, including where such details are used for the purposes of identity fraud, also called identity theft:

When people find their identity has been stolen there can be severe financial consequences. Even if the banks and others assume some ultimate liability there can be a horrendous amount of hassle and worry for people to sort matters out ... If people find they are being impersonated their reputations can suffer. It can be in the workplace, it can be in their social environment, with their families ... if people's private lives are unjustifiably intruded upon, there can be a very, very real deep sense of outrage.[95]

Identity fraud

(h) The Royal Academy of Engineering defines identity fraud (or as it is often known, identity theft) as "the impersonation of someone else in order to obtain financial benefits (for example, by purchasing goods on-line) or to avoid penalties (for example, speeding fines incurred when using a hire car)".[96]

(i) We discuss the concept of identity in the context of personal information below at paragraph 145.

Data loss and identity fraud

101. The International Association of Privacy Professionals (IAPP) drew a distinction between security breaches as a result of criminal activity and those occasions on which "people just lose disks or other back-up tapes".[97] During our inquiry, however, a series of high-profile incidents of data loss by Government agencies served to underline the risks associated not only with the abuse of surveillance by criminals but also with the collection and sharing of personal information for the purpose of delivering public services.

102. In terms of the amount of data lost, the incident reported to the House of Commons in a statement by the Chancellor of the Exchequer on 20 November 2007 was the most serious. Two password-protected discs containing a full copy of HM Revenue and Customs "entire data" in relation to the payment of child benefit—records for 25 million individuals and 7.25 million families—were sent to the National Audit Office by HMRC's internal post system (operated by the courier TNT). The discs failed to reach the NAO and were not recovered.

103. Banks and financial institutions were informed of affected accounts so that they could monitor them for irregular activity and evidence of fraud and the Chancellor asked Kieran Poynter, Chair of PricewaterhouseCoopers, to investigate HMRC's security processes and procedures for data handling. The Prime Minister asked the Cabinet Secretary and security experts to ensure that all departments and agencies checked their procedures for the storage and use of data.[98]

104. After details of the data loss were made known to the public, APACS, the UK Payments Association, sought to reassure customers that "there is no evidence that the data has fallen into criminal hands nor that any fraud has been attempted as a result of this incident".[99] In February 2008, the security firm McAfee reported on a phishing attack that targeted victims of the HMRC data loss with an email offering the recipient the opportunity to claim a tax refund of �215 from the government and containing a link to a suspect website.[100]

(j) Phishing
(k) Phishing is a type of deception designed to steal valuable personal details, such as credit card numbers, passwords, account data, or other information, by means of fraudulent email messages or 'pop-ups' that appear to come from known websites such as those run by banks or credit card companies.

105. Whilst this data loss incident does not seem to have resulted in large-scale theft from the bank accounts of child benefit recipients, it has highlighted the potential consequences of compromising sensitive personal information in the terms described by the Information Commissioner.

Incorrect information and false matches

106. Another risk associated with surveillance is the danger that an individual will suffer harm not because he or she has been impersonated by someone else but because an organisation or individual targets him or her by mistake or makes decisions based on incorrect information. Where these decisions involve targeted marketing, harm to an individual might amount only to inconvenience or to missed opportunities to choose a more appropriate product or service—although concerns have been raised about the implications for individual privacy of new internet advertising services which collect information about users' internet searches[101]—but where financial, health or security decisions are concerned the potential for harm is much greater.

107. Dr Eric Metcalfe, Director of Human Rights Policy at JUSTICE, gave an example to illustrate the potential effect of surveillance-based decision-making on an individual's life:

Maybe someone is arrested. It is a case of mistaken identity, but someone makes a complaint about them being, say, a sex offender. They are acquitted or maybe charges are not even brought, and they think nothing of it until the next time they apply for a job working with children, and then they find they cannot because they have failed the child protection check because of the fact they have been arrested in relation to a sex offence means that that information has to be disclosed.[102]

Dr Metcalfe did not argue that this kind of information should not be disclosed in any circumstances but rather that in general "we do not have very much appreciation of the way in which information is transferred".[103]

Cumulative effect of misuse or mistakes: a disproportionate burden on the disadvantaged?

108. Whilst there are steps that individuals themselves can take to protect their privacy, and to gain access to the information held about them under the rights afforded by the Data Protection Act, to check that information is correct or to limit its disclosure to suit their needs, taking these steps requires individuals to exercise an informed choice in relation to surveillance. Those without the degree of awareness or the means to exercise this choice may therefore be at greater risk of suffering harm as a result of misuse or mistakes in information held about them; where no such choice is available their vulnerability may be compounded.

109. Throughout our inquiry we heard evidence of the strong link between choice and privacy. Witnesses representing private sector organisations emphasised the choice that consumers could exercise over providing information about themselves and the availability of choices such as obtaining credit reference reports. Mike Bradford of Experian told us that awareness of these choices was becoming more widespread:

people are far more aware than they used to be of what a credit reference agency does. It is not Big Brother where data sits there and there are black lists with all the other very emotive things over which at one point there was concern. We have a strategic imperative in our business to work on consumer education and awareness.[104]

The Department of Health outlined the choices available to NHS patients in relation to the records of their care, including a range of 'opt out' decisions:

Individuals who have concerns can choose not to have a Summary Care Record created for them. They will be advised to inform their GP of their views and to request that a note be made of their concerns and the choice they have made ... They can alternatively choose to have a Summary Care Record created but not accessible to anyone but themselves. They will be able to access it anytime using a secure internet site called HealthSpace. Patients will of course be able to change their mind and request a Summary Care Record at any point.[105]

110. The Information Commissioner's Office works to raise awareness of the kinds of information which organisations collect about individuals, and of the individual's 'right to know'. Whilst the Commissioner told us that he was working with Connecting for Health (the agency responsible for delivering the electronic patient record) on the scope for tailoring people's use of patient information "more in line with their personal preferences", and that there was scope for developing such options in other particular areas, he argued that the choices available in the public sector were strictly limited:

it is not like in the private sector where you do have a genuine choice: you can choose that holiday or that loyalty card or that bank account and you can shape your choices according to what is on offer. When you are dealing with the Health Service, the police, the taxman, by and large there is not much scope for choice.[106]

Deepening the 'digital divide': a 'privacy divide'?

111. Means of exercising choice over the personal information that is collected, stored and used often depends on access to technology. Whilst internet penetration in the UK has increased to 61%[107]—increasing at the same time the amount of personal information available for collection—and a range of applications and devices to detect and deter surveillance have been developed, a number of our witnesses acknowledged the concern that reliance on such developments could lead to what the Surveillance Studies Network described as "a society of privacy haves and have-nots".[108] The Government's Chief Information Officer, for example, said that it was "very important that we do not disenfranchise any section of the public by going down one particular route".[109] We discuss this issue in the context of privacy-enhancing technologies below at paragraph 152.

Profiling

112. Beyond internet penetration and a focus on electronic delivery of services, technological developments have allowed for information on different databases to be matched and to be 'mined' automatically to link data on individuals and create 'profiles' using algorithms to group individuals together according to their characteristics, preferences or activities (see above at paragraph 40). The Royal Academy of Engineering argued that in creating profiles, "categorisation is rarely perfect" and that this can lead to inappropriate groupings: in turn people could find themselves sorted and stigmatised as criminals or bad creditors. It went on to argue that profiling to identify people as potential criminals "risks treating all people who fit a certain profile as potential terrorists or criminals".[110]

113. We heard evidence of the danger that profiling may accentuate existing social inequalities, with practical effects for the individuals involved, consequences for the privacy and liberty of those individuals, and wider implications for society. The Law Society's evidence made explicit its concern that profiling could have undesirable ramifications for individuals and society:

Profiling in order to identify possible criminal activity is objectionable to the extent that it makes everyone a suspect. It is dangerous in its reliance on potentially inaccurate or out-of-context data and its use of unprovable algorithms. It tends towards a reversal of the normal burden of proof in both civil and criminal law.[111]

Impact of surveillance on privacy and individual liberty

114. When we asked Shami Chakrabarti of Liberty about the risks to the individual posed by a 'surveillance society', she emphasised that privacy was a qualified right and that there were "very good reasons", such as security or public health concerns, why the value of the right of privacy could be "lost or forgotten on occasion." She argued, however, that it was important for the "ethical, political and legal debate" to keep pace with the technological developments which provided new opportunities to interfere with privacy,[112] and that its value—as embodied by the concept of a secret ballot—should not be underestimated:

Without this right, even in the human rights community, sometimes regarded as a bit low-level, a bit trivial—it is not torture, it is not arbitrary detention—you cannot have free elections, freedom of thought, conscience and religion, freedom of speech in some circumstances without that little bit of personal space and respect for it.[113]

115. Dr Eric Metcalfe, representing JUSTICE, argued that even if information held about an individual was not misused or misrepresented the fact of its storage and potential use was significant:

if I write a diary and I leave it in a room and I am subsequently aware that maybe 10 people have gone through that room and had the opportunity to read my personal thoughts sitting on the desk, maybe none of them did, but already that has had an effect on my personal privacy. If you think about all your personal data as being in that diary and if you think about not merely 10 people passing through that room but, say, all the relevant agencies that have come on to the stage having access, then you have reason to be concerned, and your own sense of personal privacy, which we think has a very important value because it allows us to do so many things that we take for granted as being part of a good life, is affected as a result.[114]

Effect on society as a whole: the question of trust

116. The Information Commissioner told us that the wider harm to society caused by excessive surveillance can include:

intrusion into private life which is widely seen as unacceptable

loss of personal autonomy or dignity

arbitrary decision-making about individuals, or their stigmatisation or exclusion

the growth of excessive organisational power

a climate of fear, suspicion or lack of trust.[115]

117. These risks combine the practical effects of mistakes or misuse of data, with what might be regarded as more 'philosophical' concerns about the effect of surveillance on privacy and individual liberty. The Commissioner argued that these "more philosophical issues" about the collection and use of information were linked to the question "what sort of society are we content to live in?"[116]

Trust
In this report we use the word 'trust' predominantly to mean confidence in and reliance on the capabilities and good faith of a person or organisation.

118. Dr Metcalfe of JUSTICE saw a close relationship between an individual's enjoyment of his or her privacy and the value of privacy to wider society:

personal liberty is ultimately part of the common good ... we benefit not merely as individuals in having privacy, we benefit as a society: because people do things in their private space, in their private time, and the benefits from that flow on to society as a whole.[117]

In the same way Liberty argued that where surveillance put the privacy of an individual at risk, the broader relationship between citizen and state was also at stake:

without really quite a significant degree of value paid to personal privacy, there would be a society where the dignity of the individual has been compromised; intimacy between people, confidence between people and trust in big institutions, whether it is the Health Service or the Government, would be lost.[118]

The Department of Health confirmed that patients' willingness to trust the National Health Service with their information was crucial to the delivery of individual patient care and to the success of secondary research:

Without public confidence in how information about patients is managed we risk losing one of the fundamental tenets of how the NHS can operate.[119]

119. The primary purpose of collecting information from patients—to facilitate diagnosis and treatment—and the consequences of mistakes or security breaches—misdiagnosis, the release of sensitive information an individual might wish to keep private—are clear. However, in other contexts the methods and purposes of collecting and sharing personal information are less evident and a greater degree of trust is required on the part of the individual.

120. Where technological developments have removed technical and cost barriers to the collection, storing, searching and sharing of information we trust those who hold our information not only to keep it securely but also to refrain from using it for purposes other than those for which it was collected. Dr Chris Pounder, Editor of Data Protection and Privacy Practice, described the relationship this situation established between the individual and all those who bear responsibility for the collection and sharing of their information:

The public has to trust that the datasharing is limited in accordance with the rules, the public have to trust that staff who do the datasharing are properly trained and follow the rules, the public have to trust that the procedures for authorising the data are properly maintained and the public have to trust that Parliament does not enact legislation that provides for function creep. All this trusting is in one direction.[120]

Dr Pounder told us that "if this trust is broken on occasions or generally, it manifests itself, not just in a way that is of detriment to the individual but of great harm to public policy as well".[121]

121. Other witnesses concurred that—particularly where surveillance is carried out not in a targeted way for a clearly defined purpose but as a matter of routine—erosion of trust could have serious consequences. The Royal Academy of Engineering argued that a policy of using surveillance to profile people in order to identify potential criminals could generate "distrust of the authorities that use such profiling methods".[122]

122. If individuals withdraw their co-operation from authority because they do not trust it, by refusing to provide information on a voluntary or consensual basis, in turn those in authority will need to carry out more surveillance in order to achieve their aims in terms of improving public services and enhancing public safety. This scenario might represent an unlikely outcome but it is one which several of the witnesses in our inquiry have envisaged as a realistic prospect, arrived at after incremental increases in the scale of surveillance effected without proper consideration of the risks involved.

Conclusion: a matter of balance

123.  The technological developments which facilitate the collection, storage and use of information about individuals and their activities have clear benefits for the individual as a consumer and a user of public services. If collected accurately and used properly databases of personal information can support both 'de-personalised', impartial decision-making processes and the delivery of 'personalised' services tailored to the needs of the individual.

124.  However, the risks associated with the collection and use of personal information in databases in particular and the monitoring of individuals' behaviour in general, should not be underestimated. Mistakes or misuse of data can result in serious practical harm to individuals. Those less demonstrable risks which relate to the erosion of one's sense of privacy or individual liberty also have a practical aspect and a broad application in that they affect the way in which citizens interact with the state.

125.  The risks associated with surveillance increase with the range and volume of information collected. The Government has a crucial role to play in maintaining the trust of the public: any evaluation of the use of surveillance must take into account the potential risk to this relationship with the public.

126.  Technological capabilities continue to expand, increasing our means both of generating information about ourselves and of using that information for different purposes. But the drive to make the most of these capabilities should be tempered by an evaluation of the risks involved in collecting more information. Particular consideration should be given to situations in which individuals might suffer as a result of their lack of awareness or ability to take advantage of opportunities to exercise choice over how information about them is used, or to check that it is accurate.

74 Surveillance Studies Network, A Report on the Surveillance Society: Full Report: revised with a new Postscript (March 2007), p 1 Back

75 Q 1 (Richard Thomas) Back

76 Ibid. Back

77 Q 114 (Stephen Sklaroff) Back

78 Q 115 (Stephen Sklaroff) Back

79 Q 128 (Martin Briggs) Back

80 Qq 140-1 Back

81 Academy of Medical Sciences, Personal data for public good: using health information in medical research, January 2006, p 3 Back

82 Q 237 (Professor Dezateux) Back

83 Q 238 (Professor Dezateux) Back