Memorandum submitted by The Law Society
of England and Wales
1.1 The Law Society's interest in the topic
of "surveillance" is a product of its (public interest)
concern to ensure that a clear legal framework exists within which
increasingly powerful and pervasive technologies of surveillance
are deployed. We are also concerned about the practicaland
financialimplications that certain surveillance initiatives
(like Identity Cards and the retention of web and phone records)
could have on our members and their clients.
1.2 The Information Commissioner has warned
that the UK is now waking up to a surveillance society. It is
therefore important to engage in as wide a debate as possible
across the spectrum of interestsfrom law enforcement to
individual privacy. It is one of the reasons the Society hosted
a seminar entitled "SurveillanceSecurity or Intrusion"
in November 2005 and which was attended by leading academics,
campaigners, officials and the Home Office minister responsible
for Identity Cards.
2. THE NATURE
2.1 Surveillance today takes many forms.
What is notable in recent years is that the growth and spread
of digital technologies means that all of us nowadays leave a
massive daily footprint of datawhere we travelled and how
(Oyster cards and automatic number plate recognition); who we
telephoned and where we were at the time (mobile 'phone records);
what we looked up on the Internet; who we e-mailed (communications
data retention); and what we bought (credit, debit and loyalty
cards). And all of this data is stored digitally and retained,
sometimes for years.
2.2 A great deal of personal information
that was formerly held in separate government databases is being
joined together and the government has plans for more databases
like the National Identity Registerwhich will store
even more. Moreover our images are recorded dozens of times a
day on CCTV cameras and we are in the early stages of a national
3. THE GROWTH
3.1 Many people would argue that the level
of surveillance is growing in all Western democracies. To a large
extent this reflects increasing technological capability. In the
UK the government has for many years been pursuing an ambitious
programme to join-up its existing databases and develop new ones.
Large private sector companies ranging from credit reference agencies
to supermarkets and advertisers are also interested in gathering
and processing large quantities of personal data. And, alongside
the collection of data, the use of technologies like CCTV in public
and private spaces is extremely high in the UK.
3.2 In deploying powerful surveillance technologies
it is important to be clear about their purpose and to ensure
that their use is regulated within a clear legal framework. It
is usually a question of balance. Whilst the public may welcome
increased data sharing between government departments in order
to improve public sector efficiency they still want to know that
the information they give to the tax authorities and their consultation
with their doctor or their solicitor will remain properly protected.
3.3 Individual initiatives can no longer
be considered in isolation. They need to be considered in terms
of their potential contribution as a component of what the Information
Commissioner has called "the infrastructure of a surveillance
4. ACCESS BY
4.1 There are real dangers in routine public
sector use of private sector databases and in our view this should
only occur without the consent of individual data subjects in
exceptional circumstances (for example, serious crime or national
4.2 Amongst our concerns are:
the quality of data on private
uncertain redress mechanisms
for individuals disadvantaged by public sector use of incorrect
or incomplete private sector data; and
the inappropriateness of the
public sector using databases that involve market-led judgments
(for example about risk) that should have no place in public administration.
4.3 Government use of data held by large
private sector data aggregators may effectively by-pass restrictions
on the data that Parliament has agreed that Government can collect
5.1 Data sharing between government departments
and agencies was the subject of a major government report in 2002
(Privacy and data-sharing, Performance and Innovation Unit,
April 2002). The Prime Minister said that he wanted to see "early
progress" in taking forward its recommendations. The following
are amongst the recommendations that have not been implemented:
the introduction of a Public
Services Trust Charter setting out key commitments to citizens
in protecting privacy and personal data in their interactions
with public services and supported by service-specific statements;
improved access for individuals
to their personal data held by public authorities;
better explanations of the individual's
rights to access public data with clear points of contact;
procedures to enable the public
to correct their personal information with consideration of targets
for response, monitoring and publishing performance data;
access to quick and efficient
procedures for dealing with complaints about the handling of personal
all public sector organisations
to have a named senior manager with clear responsibility for the
handling of personal information;
the development of methods for
measuring data accuracy and reliability and an agreed set of methodologies
for measuring and improving data quality; and
internal and external audits
across the public sector to improve data accuracy and reliability.
5.2 If data sharing between departments
and agencies is to become more widespread (as part of "transformational
government"), then these recommendations are worth revisiting.
5.3 We would also draw attention to the
problem that widespread data sharing between departments and agencies
will increase the risk of security breaches.
5.4 Finally, data sharing should support
improved customer service (for example, automatic entitlement
to benefits) and not just expenditure control. This may help to
emphasise the importance of data quality to government since departments
could be incurring expenditure on the presumption of accuracy
and not just curtailing it. Such data accuracy would feed across
into Home Office databases including the National Identity Register
which, we understand, will make use of databases in the Department
for Work and Pensions.
6. EXISTING SAFEGUARDS
6.1 The European Data Protection Directive,
the Data Protection Act, the Privacy and Electronic Communications
Regulations, the Regulation of Investigatory Powers Act and the
European Convention of Human Rights and the Human Rights Act do
provide a robust legal framework that helps to safeguard individual
privacy and personal data.
6.2 This basic framework is, however, quite
complex and there is some evidence that it is not widely understood.
Significant aspects of the basic framework are inevitably open
to interpretation by the courts.
6.3 Statutory and regulatory additions to
this basic framework, particularly in such areas as surveillance
and retention and access to communications data, add an additional
layer of complexity that makes the full picture extremely difficult
to describe and understand. Vulnerable groups, for example groups
whose first language is not English and who may be the target
of police surveillance, may have particular difficulty. It is
essential that the government ensures that appropriate levels
of legal advice and support are available.
6.4 The interaction between the overall
legal framework and the statutory and non-statutory data sharing
gateways between department, agencies, local authorities and the
private sector, appears to be opaque even to government.
6.5 The quality of administrative safeguards
for data use appears to be unknown. Technical safeguards, apart
from technical security safeguards, do not appear to exist.
7.1 The problems flowing from the use of
private databases, data-sharing and some lack of clarity in legal
and technical safeguards are exacerbated where data is used for
7.2 Profiling in order to identify possible
criminal activity is objectionable to the extent that it makes
everyone a suspect. It is dangerous in its reliance on potentially
inaccurate or out-of-context data and its use of unprovable algorithms.
It tends towards a reversal of the normal burden of proof in both
civil and criminal law.
7.3 Profiling may also take place secretly.
Individuals may be treated differently or disadvantaged for reasons
they are unaware of and do not have the opportunity to challenge.
In the private sector this may involve individuals with high net
worth receiving quicker, more personalised, service than others.
This has no place in public administration.
8. THE MONITORING
8.1 There may be a good argument for giving
the Information Commissioner additional powers and resources to
monitor abuses in relation to the collection and use of data.
8.2 However, the numbers of databases and
the detailed level of review required in order to identify abuses,
may suggest that however well-resourced, no central organisation
could adequately monitor abuse.
8.3 A requirement for independent data audits
for government data bases and for private sector databases used
by departments and agencies could be introduced. These could be
made published annually. The Information Commissioner might undertake
further investigation where departments or agencies failed an
8.4 The case for rationalising wider oversight
arrangement which currently include the Intelligence Services
Commissioner, the Interception of Communications Commissioner,
the Chief Surveillance Commissioner, the Information Tribunal,
the Information (National Security) Tribunal and the Investigatory
Powers Tribunal should be considered.
9.1 There needs to be a more thoroughgoing
and informed public debate about what the right balance between
security, efficiency and individual privacy should be. A review
of the existing, labyrinthine, laws on surveillance and data sharing
would be valuable and might lead to improvements to ensure that
when mistakes are made, or when unwarranted intrusions into personal
privacy occur, effective redress is available. It might also be
appropriate to introduce mandatory administrative processes for
properly assessing the impact on individual privacy of proposed
9.2 Privacy Impact Assessments (PIAs) to
be carried out as part of the legislative process could help to
ensure a systematic approach to privacy questions. They might
well involve multi-disciplinary expertise and we would anticipate
that solicitors with relevant experience could play a significant
part. If the outcome of the assessment was made public this would
encourage welcome public debate.