Select Committee on Home Affairs Fifth Report



Conclusions and recommendations

Introduction

1.  We reject crude characterisations of our society as a surveillance society in which all collections and means of collecting information about citizens are networked and centralised in the service of the state. Yet the potential for surveillance of citizens in public spaces and private communications has increased to the extent that ours could be described as a surveillance society unless trust in the Government's intentions in relation to data and data sharing is preserved. The Home Office in particular and Government in general must take every possible step to maintain and build on this trust: our Report provides a starting point. (Paragraph 14)

Surveillance in context

2.  Advances in technology have supported a significant increase in the potential for surveillance of the activities of individuals in the United Kingdom. We welcome the Information Commissioner's efforts to raise awareness of this trend, particularly in relation to the collection of personal data, and to encourage the Government to consider the implications of the growth of surveillance for the individual and society. We recommend that the Information Commissioner lay before Parliament an annual report on surveillance, and that the Government produce a response to each report, also to be laid before Parliament. We further recommend that Parliament have the opportunity to hold an annual debate on this issue. (Paragraph 36)

Why has the use of surveillance increased?

3.  Technological advances in terms of the collection, storage and use of personal information have enabled the private sector to target its communications at particular groups of consumers and to provide more personalised services. The development of this capability has produced an increasing reliance on digitally-supported means of making decisions. We do not dispute the benefits to the consumer of an impartial decision-making process on the one hand and a more appropriate and convenient service on the other. We do, however, note that these benefits depend on the accuracy of the data collected and the security of the systems in which the data is held. (Paragraph 52)

4.  A strong common theme is emerging in both the private and public sector: a move towards more personalised services which require the service provider to collect information from individuals in order for the service to be effective. Whilst the outcome may be more personalised, however, the trend in terms of input is a standardisation of the information requested with a tendency to collect information which may identify an individual even where this is not needed in order to provide or improve services. (Paragraph 76)

5.  We recognise the desire of private and public sector service providers to make full use of the opportunities provided by technology in relation to targeting and facilitating access to services and products. We also accept that advances in technology have heightened the public's expectations of what technology can deliver not only in terms of convenience but also in connection with the prevention and investigation of crime. The elimination of technological barriers to the collection, storage and sharing of large volumes of information, however, has significant implications for individual privacy and potentially for society at large. (Paragraph 77)

6.  The Government should be open about its intentions in relation to collecting personal information, and should make sufficient time for public and Parliamentary debate on its proposals. In general the Government should move to curb the drive to collect more personal information and establish larger databases. (Paragraph 78)

What are the implications of the growth in surveillance for the individual and society?

7.  The technological developments which facilitate the collection, storage and use of information about individuals and their activities have clear benefits for the individual as a consumer and a user of public services. If collected accurately and used properly databases of personal information can support both 'de-personalised', impartial decision-making processes and the delivery of 'personalised' services tailored to the needs of the individual. (Paragraph 123)

8.  However, the risks associated with the collection and use of personal information in databases in particular and the monitoring of individuals' behaviour in general, should not be underestimated. Mistakes or misuse of data can result in serious practical harm to individuals. Those less demonstrable risks which relate to the erosion of one's sense of privacy or individual liberty also have a practical aspect and a broad application in that they affect the way in which citizens interact with the state. (Paragraph 124)

9.  The risks associated with surveillance increase with the range and volume of information collected. The Government has a crucial role to play in maintaining the trust of the public: any evaluation of the use of surveillance must take into account the potential risk to this relationship with the public. (Paragraph 125)

10.  Technological capabilities continue to expand, increasing our means both of generating information about ourselves and of using that information for different purposes. But the drive to make the most of these capabilities should be tempered by an evaluation of the risks involved in collecting more information. Particular consideration should be given to situations in which individuals might suffer as a result of their lack of awareness or ability to take advantage of opportunities to exercise choice over how information about them is used, or to check that it is accurate. (Paragraph 126)

Are existing safeguards strong enough?

11.  We welcome efforts to develop technological means by which organisations and individuals can protect personal information and prevent unwarranted monitoring of individuals' online activities. We recommend that the Government track and make full use of new developments in encryption and other privacy-enhancing technologies and in particular those which limit the disclosure and of collection of information which could identify individuals. We further recommend that the resources of the Information Commissioner's Office be expanded to accommodate sufficient technical expertise to be able to work with the Chief Information Officer to provide advice on the deployment of privacy-enhancing technologies in Government. (Paragraph 159)

12.  We recognise, however, that awareness of and access to privacy-enhancing technologies is not universal amongst the public. Over-reliance on the capacity of technology to secure data systems leads to neglect of the need to ensure that processes for the management of information by organisations are robust. It also raises unrealistic and potentially discriminatory expectations of individuals who are not in a position to take steps to prevent the theft of their personal information. (Paragraph 160)

13.  Where individuals have little or no choice about providing personal information, such as in their interactions with Government, it is especially important that the organisation which collects and holds the information takes responsibility for safeguarding it, rather than attempting to pass on the responsibility to the individual. The organisation's responsibility should begin before collection takes place: by obtaining consent for collecting and processing data where possible and by providing an explanation where this is not possible. (Paragraph 161)

14.  The Home Office should work with the Information Commissioner to raise public awareness of how the Home Office collects, stores, shares and uses personal information. The Home Office should highlight the distinction between those areas in which individuals can exercise choice by giving or withholding their consent, and those areas in which seeking informed consent is not feasible and transparency is particularly important. (Paragraph 162)

15.  The principle of restricting the amount of information collected to that which is needed to provide a service should guide the design of any system which involves the collection and storage of personal information. We recommend that the Government adopt a principle of data minimisation in its policy and in the design of its systems. We further recommend that the Government acknowledge the distinction between identification and authentication as one which is valuable in its efforts to adhere to this principle. (Paragraph 163)

16.  It is not just the volume of data collected that creates a problem: the longer information is retained, the more likely it is that the information will be out of date and inaccurate. Information should be held only as long as is necessary to fulfil the purpose for which it was collected. If information is to be retained for secondary purposes rather than service delivery it should normally be anonymised and retained only for a previously specified period. (Paragraph 164)

17.  We welcome the reviews commissioned by the Government to improve data security, particularly in relation to information-sharing. We expect the Government to make full use of the opportunity these reviews provide to reassess the adequacy of the definitions and principles set out in the Data Protection Act. Such a reassessment should be carried out not only in light of recent data loss incidents but also against the challenges presented by increases in the collection, storage and sharing capability of information systems and intensification in criminal activity associated with the misuse of personal information. The Home Office must act as a matter of urgency to tackle these challenges. (Paragraph 189)

18.  Any increase in the collection and storage of information increases the risk that security will be breached and that information will be used for purposes other than those for which it was collected. In keeping with a principle of data minimisation, more rigorous risk analysis of systems already in place must be carried out before new techniques for collecting information are deployed or new databases planned. The decision to create a major new database, share information on databases, or implement proposals for increased surveillance should be based on a proven need. (Paragraph 190)

19.  We commend the Information Commissioner for his work on Privacy Impact Assessments and support his drive to ensure that Government and others undertake thorough evaluation work in relation to the benefits and risks of surveillance. We also acknowledge that if published, in providing individuals and interest groups with details about surveillance activities which would not otherwise be made available, PIAs could help to raise awareness of the issues the Information Commissioner has sought to highlight. (Paragraph 191)

20.  We are concerned, however, that PIAs might be regarded simply as bureaucratic exercises, and that they would be undertaken not before and during the design phase of any system but afterwards; by which time their value as a practical risk assessment tool would have been lost. For PIAs to be effective they should be used to carry out preliminary risk analysis for a new project before the design phase begins. For Government departments and agencies this preliminary risk analysis should culminate in a summary statement, to be signed off by the Information Commissioner or otherwise subject to independent audit. The statement should set out the benefits of a new system against the risks posed by collecting, storing and using the information required by the system. (Paragraph 192)

21.  Every system for collecting and storing personal information should be designed with a focus on security and privacy. The design process should involve planning not only in relation to the technical aspects of access to systems but also to the staff management protocols for access and information-handling. (Paragraph 193)

22.  Every system for collecting and storing data is susceptible to unauthorised access, misuse and theft. For existing and proposed systems the Government should specify what it considers to be an acceptable level of failure and develop contingency plans to mitigate the damage caused by leaks or theft of data. (Paragraph 194)

23.  The weakest aspect of a system may be the establishment and enforcement of protocols for access and use rather than any technological safeguard. Organisations which manage such systems must take full responsibility for limiting access to databases and the information they contain and for enforcing procedures for sharing and transferring data. We support the Information Commissioner's call for an extension of his inspection and audit powers to facilitate the strengthening of these procedures across Government and the private sector. Tougher penalties for negligent information-handling should be introduced in order to make clear where the burden of responsibility lies. (Paragraph 195)

24.  A privacy officer or director of data security should be assigned by departments to take responsibility for risk analysis and to report to the Permanent Secretary on the privacy implications and safeguards of each project which involves the collection or sharing of personal information. (Paragraph 196)

25.  The Home Office should publish a report on an audit of the data collections managed by the Department and its agencies, outlining as far as possible without compromising security the technological and procedural safeguards currently in place. (Paragraph 197)

What role does surveillance play in the work of the Home Office and the fight against crime?

Camera surveillance

26.  Under camera surveillance in public spaces, individuals have very little control over whether or not their images and movements are captured and over how they are stored and used. This lack of choice intensifies the obligation on camera operators and regulators to behave responsibly and to deploy surveillance technology only where it is of proven benefit in the fight against crime and where this benefit outweighs any detrimental effect on individual liberty. (Paragraph 221)

27.  We acknowledge the popularity of CCTV schemes and do not underestimate the potential effect on crime levels of successful attempts to encourage people to use public spaces. However, as the Minister told us, it has been difficult to quantify the benefits of CCTV in terms of its intended effect of preventing crime. We recommend that the Home Office undertake further research to evaluate the effectiveness of camera surveillance as a deterrent to crime before allocating funds or embarking on any major new initiative. The Home Office should ensure that any extension of the use of camera surveillance is justified by evidence of its effectiveness for its intended purpose, and that its function and operation are understood by the public. (Paragraph 222)

28.  We welcome the drive to create standards for the use of camera surveillance in order to enhance the value of the images captured in the fight against crime. We recommend that the Home Office work with the police to increase public awareness and manage public expectations of camera surveillance. (Paragraph 223)

29.  Whilst we share the reservations of the police about unfettered public access to surveillance cameras, we endorse the Information Commissioner's calls for greater transparency in relation to camera surveillance and recommend that the Home Office take steps to facilitate access to footage in certain circumstances, for example where an individual is seeking to eliminate him or herself from police enquiries. (Paragraph 224)

30.  The continued value and popularity of CCTV depends on continued public confidence that camera operators are acting responsibly and that the Government, in regulating CCTV schemes, is mindful of concerns about privacy. We note that the Minister saw the fact that much CCTV footage is held for a limited period of time as a barrier to the development of a surveillance state. In designing camera schemes operators should consider how long images need to be stored and the Home Office should support a principle of data minimisation in this respect. (Paragraph 225)

31.  We acknowledge that technological developments have significantly increased the potential of camera surveillance in terms of crime detection. However, the Government should evaluate the impact of each major development for its effect on individual liberty. In particular, the Home Office should give its assurance that it will not countenance schemes such as those which involve the use of microphones attached to cameras, and in effect apply the techniques of directed and intrusive surveillance to the general public. Such measures impinge on the degree of privacy individuals expect to be able to enjoy in public spaces and the Home Office must take responsibility for guarding against this kind of constraint on individual liberty. (Paragraph 226)

National Identity Scheme

32.  We have not sought in our inquiry to revisit the debate on the merits of identity cards. We are concerned, however, about the potential for 'function creep' in terms of the surveillance potential of the National Identity Scheme. Any ambiguity about the objectives of the Scheme puts in jeopardy the public's trust in the Scheme itself and in the Government's ability to run it. Whilst we accept the Government's assurance that the Scheme will not be used as a surveillance tool, we seek the further assurance that any initiative to broaden the scope of the Scheme will only be proposed after consulting the Information Commissioner and on the basis that proposals will be subject to parliamentary scrutiny in draft form. (Paragraph 236)

33.  We recommend that the Home Office produce a report on the intended functions of the National Identity Scheme in relation to the fight against crime, containing an explicit statement that the administrative information collected and stored in connection with the National Identity Register will not be used as a matter of routine to monitor the activities of individuals. (Paragraph 237)

34.  We note the distinction drawn by the Minister between the National Identity Scheme and "the most lamentable of government IT projects" and agree that staged implementation provides a degree of protection against security breaches. Nevertheless, the Home Office must plan for security breaches and in particular it should examine the consequences of theft of the biometric information which forms part of the NIR. (Paragraph 245)

35.  Taking into account the effect of recent data loss incidents on public confidence in the Government as a guardian of personal information, we recommend that the Home Office submit more detailed plans for securing the NIR databases and a broad outline of contingency plans to be implemented in the event of a loss or theft of biometric information from databases managed by the Identity and Passport Service, for comment by the Information Commissioner. (Paragraph 246)

36.  Recent data loss incidents have involved failures not of technology but of policy in that those who had access to the information in question did not observe proper procedures for the handling and sharing of data. The Minister's assurances that the Government has learned lessons, though welcome, are not sufficient to reassure us or, we suspect, the public. Access to NIR databases should be strictly limited and governed by clear protocols, which should be developed in consultation with the Information Commissioner. We recommend that the Home Office publish a detailed account of its plans for NIR access procedures. (Paragraph 247)

37.  The Home Office should address the Information Commissioner's concerns about the administrative information to be collected as part of the NIR. We accept that the Government's intention is to create an 'audit trail' to regulate access to NIR databases, but we are concerned about large stores of information about individuals' transactions and activities, particularly if registration is to become compulsory. (Paragraph 248)

38.  We recommend that the Home Office publish its plans for collecting and retaining administrative information as part of the NIR and that it commit to a principle of data minimisation for the National Identity Scheme. We seek assurance from the Home Office that it has taken full account of the potential of advanced privacy-enhancing technologies to reduce the amount of information it is necessary to collect in order to authenticate transactions and prevent fraud and unauthorised access. (Paragraph 249)

39.  We note that the Home Office has no plans to publish any specific privacy impact assessment of the National Identity Scheme. In terms of the design of the Scheme it is much too late for such an assessment to serve the intended purpose of integrating privacy considerations with the Government's plans to collect and store information. We recommend that on proposing any change in policy on the collection, storage, sharing or use of National Identity Register data, the Home Office make a report to Parliament on the implications of the change for an individual's privacy. The report should address the following questions: how much extra information will be collected? For how long will it be stored? How many more people will have access to it? For what new purpose will it be used? (Paragraph 250)

National DNA Database

40.  We recognise the National DNA Database as a valuable investigative tool, particularly in relation to police efforts to solve older cases. But the sensitive nature of the information which may be yielded by DNA heightens the degree of responsibility borne by the Government. The Home Office must work with the National Policing Improvement Agency and the police to set and observe a regulatory framework which protects individuals from unnecessary invasions of privacy and loss or unauthorised use of their genetic material and information gleaned from it. (Paragraph 281)

41.  The Home Office should actively support the NPIA in its efforts to reduce the rate of replication on the NDNAD. Inaccuracies in the information on the database must be corrected to enable the police and the public to reap the full benefit of the NDNAD. (Paragraph 282)

42.  We welcome the Government's assurance that the National DNA Database will not be used in any attempt to correlate particular genetic characteristics with propensity to commit crime. We recommend that the Home Office renew this assurance in conjunction with the Government's conclusions on the review of the Police and Criminal Evidence Act. We recommend that the Home Office make public at the earliest stage any plans to revisit this issue. (Paragraph 283)

43.  The Government's consultations should help to clarify the purposes and processes of DNA collection and retention. We endorse the views of the NPIA and the Minister that these purposes and processes must be transparent in order to maintain confidence in the database as a proportionate response to crime. (Paragraph 284)

44.  There have been calls for an expansion of the National DNA Database to include profiles connected with non-recordable offences and for a 'universal database' and for the Government to reconsider its policy on retaining the profiles of those who have been arrested but not charged. In order to facilitate a full debate and an appropriate level of Parliamentary scrutiny we recommend that alongside any conclusions of the PACE review the Government introduce primary legislation to replace the current regulatory framework for the National DNA Database. We recommend that this legislation provide for a more accessible mechanism by which individuals can challenge the decision to retain their records on the Database. (Paragraph 285)

45.  The Government should reconsider the ways in which National DNA database information is collected, handled, stored and transferred. In particular we recommend that in order to minimise the data held, the Home Office and the police should review the identifiers used for samples and the policy of retaining samples. (Paragraph 286)

The potential of other public and private sector databases for use in the fight against crime

46.  In its use of databases and other means of collecting, storing and using personal information the Home Office should explicitly address these questions: in the context of the fight against crime where should the balance between protecting the public and preserving individual liberty lie? How should this balance shift according to the seriousness of the crime? What impact will this have on the individual and on our society as a whole? (Paragraph 305)

47.  Even as society confronts its most serious threats it must protect its liberties. The fight against crime in general does not provide sufficient justification for information-sharing which might have an impact on privacy. It is vital that before information is shared for purposes other than those for which it has been collected those purposes are subjected to the closest scrutiny. (Paragraph 306)

48.  Information-sharing must only be carried out in the context of a robust statutory framework which incorporates tests of proportionality and mandates the securing of consent where possible. The effectiveness of information-sharing should be assessed at the stage at which a new project is proposed, in order to prevent unnecessary sharing and retention of data. We recommend that where the sharing or matching of information held by the Home Office or its agencies is proposed, the Information Commissioner should act as a consultee and mediator on the same footing as the Ministry of Justice. (Paragraph 307)

49.  Exemptions from the Data Protection Act notwithstanding, in giving consent and choosing services individuals are better informed about how their information is used and shared in the private sector than they are about how it might be used and shared by the Government. We recommend that the Home Office work with the Information Commissioner to raise awareness of how information generated in the private sector—such as details of retail purchases, or information posted on blogs or social networking sites, for example—might be used in the investigation of crime. (Paragraph 308)

50.  We welcome the Minister's reassurance that the Government is not interested in "fishing" for information about individuals. However, we do not underestimate the lure of new technological capabilities and new ways of sharing and matching information from a range of sources, which might appear to offer benefits in the fight against crime. The Home Office should exercise a 'self-denying ordinance' in relation to its use of technological capabilities and its power to collect personal information. (Paragraph 309)

51.  We would be particularly concerned by any attempt to use patient data or information held on children for the purposes of predictive profiling for future criminal behaviour rather than child protection: the Home Office must not undertake or sponsor work of this sort. (Paragraph 310)

Regulation of Investigatory Powers Act

52.  We recognise the distinction drawn by the Minister between the degrees of intrusion caused by the interception of communications and access to communications data. In our view, however, access to communications data by a relevant authority has a significant impact on an individual's privacy. We note the increase in requests for access to communications data in recent years and the large number of organisations empowered by RIPA to make such requests. Whilst communications traffic continues to increase and diversify, the provisions of RIPA in respect of communications data are not well understood. We recommend that the Home Office use the opportunity afforded by the latest review of RIPA codes of practice to take steps to raise public awareness of how and why communications data might be collected and used. (Paragraph 331)

53.  For each new organisation authorised under RIPA to request access to communications data, the Home Office should produce a statement setting out the purposes for which the data will be used and evidence that access to communications data represents a proportionate response in terms of the problem to be addressed and the impact on individual privacy. Any assessment carried out by the Home Office should apply a test of proportionality: a potential intrusion which might be justified by the need to investigate terrorism would not be justified by efforts to tackle minor crimes such as littering. (Paragraph 332)

54.  We note in the context of debate on the application of RIPA authorisations, the range of views on whether or not actions such as adjusting CCTV cameras constitute surveillance as defined by the Act. We also have serious concerns about the deployment of surveillance in relation to less serious crimes, which have been raised by—amongst other things—the use of RIPA powers to establish the validity of an application for admission to a school. The Home Office should undertake a public consultation on the levels of authorisation which should be required for various surveillance activities and the purposes which would justify different levels of intrusion. (Paragraph 333)

55.  We are concerned by the implications for Members of Parliament of the events investigated by Sir Christopher Rose. Constituents must be able to speak freely to their Members of Parliament without fear of intrusion by the state. We reserve the right to return to this issue in due course. (Paragraph 334)

 


 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2008
Prepared 8 June 2008