Select Committee on Home Affairs Written Evidence


Memorandum submitted by The Law Society of England and Wales


  1.1  The Law Society's interest in the topic of "surveillance" is a product of its (public interest) concern to ensure that a clear legal framework exists within which increasingly powerful and pervasive technologies of surveillance are deployed. We are also concerned about the practical—and financial—implications that certain surveillance initiatives (like Identity Cards and the retention of web and phone records) could have on our members and their clients.

  1.2  The Information Commissioner has warned that the UK is now waking up to a surveillance society. It is therefore important to engage in as wide a debate as possible across the spectrum of interests—from law enforcement to individual privacy. It is one of the reasons the Society hosted a seminar entitled "Surveillance—Security or Intrusion" in November 2005 and which was attended by leading academics, campaigners, officials and the Home Office minister responsible for Identity Cards.


  2.1  Surveillance today takes many forms. What is notable in recent years is that the growth and spread of digital technologies means that all of us nowadays leave a massive daily footprint of data—where we travelled and how (Oyster cards and automatic number plate recognition); who we telephoned and where we were at the time (mobile 'phone records); what we looked up on the Internet; who we e-mailed (communications data retention); and what we bought (credit, debit and loyalty cards). And all of this data is stored digitally and retained, sometimes for years.

  2.2  A great deal of personal information that was formerly held in separate government databases is being joined together and the government has plans for more databases — like the National Identity Register—which will store even more. Moreover our images are recorded dozens of times a day on CCTV cameras and we are in the early stages of a national DNA database.


  3.1  Many people would argue that the level of surveillance is growing in all Western democracies. To a large extent this reflects increasing technological capability. In the UK the government has for many years been pursuing an ambitious programme to join-up its existing databases and develop new ones. Large private sector companies ranging from credit reference agencies to supermarkets and advertisers are also interested in gathering and processing large quantities of personal data. And, alongside the collection of data, the use of technologies like CCTV in public and private spaces is extremely high in the UK.

  3.2  In deploying powerful surveillance technologies it is important to be clear about their purpose and to ensure that their use is regulated within a clear legal framework. It is usually a question of balance. Whilst the public may welcome increased data sharing between government departments in order to improve public sector efficiency they still want to know that the information they give to the tax authorities and their consultation with their doctor or their solicitor will remain properly protected.

  3.3  Individual initiatives can no longer be considered in isolation. They need to be considered in terms of their potential contribution as a component of what the Information Commissioner has called "the infrastructure of a surveillance society".


  4.1  There are real dangers in routine public sector use of private sector databases and in our view this should only occur without the consent of individual data subjects in exceptional circumstances (for example, serious crime or national security).

  4.2  Amongst our concerns are:

    —    the quality of data on private databases;

    —    uncertain redress mechanisms for individuals disadvantaged by public sector use of incorrect or incomplete private sector data; and

    —    the inappropriateness of the public sector using databases that involve market-led judgments (for example about risk) that should have no place in public administration.

  4.3  Government use of data held by large private sector data aggregators may effectively by-pass restrictions on the data that Parliament has agreed that Government can collect directly.


  5.1  Data sharing between government departments and agencies was the subject of a major government report in 2002 (Privacy and data-sharing, Performance and Innovation Unit, April 2002). The Prime Minister said that he wanted to see "early progress" in taking forward its recommendations. The following are amongst the recommendations that have not been implemented:

    —    the introduction of a Public Services Trust Charter setting out key commitments to citizens in protecting privacy and personal data in their interactions with public services and supported by service-specific statements;

    —    improved access for individuals to their personal data held by public authorities;

    —    better explanations of the individual's rights to access public data with clear points of contact;

    —    procedures to enable the public to correct their personal information with consideration of targets for response, monitoring and publishing performance data;

    —    access to quick and efficient procedures for dealing with complaints about the handling of personal information;

    —    all public sector organisations to have a named senior manager with clear responsibility for the handling of personal information;

    —    the development of methods for measuring data accuracy and reliability and an agreed set of methodologies for measuring and improving data quality; and

    —    internal and external audits across the public sector to improve data accuracy and reliability.

  5.2  If data sharing between departments and agencies is to become more widespread (as part of "transformational government"), then these recommendations are worth revisiting.

  5.3  We would also draw attention to the problem that widespread data sharing between departments and agencies will increase the risk of security breaches.

  5.4  Finally, data sharing should support improved customer service (for example, automatic entitlement to benefits) and not just expenditure control. This may help to emphasise the importance of data quality to government since departments could be incurring expenditure on the presumption of accuracy and not just curtailing it. Such data accuracy would feed across into Home Office databases including the National Identity Register which, we understand, will make use of databases in the Department for Work and Pensions.


  6.1  The European Data Protection Directive, the Data Protection Act, the Privacy and Electronic Communications Regulations, the Regulation of Investigatory Powers Act and the European Convention of Human Rights and the Human Rights Act do provide a robust legal framework that helps to safeguard individual privacy and personal data.

  6.2  This basic framework is, however, quite complex and there is some evidence that it is not widely understood. Significant aspects of the basic framework are inevitably open to interpretation by the courts.

  6.3  Statutory and regulatory additions to this basic framework, particularly in such areas as surveillance and retention and access to communications data, add an additional layer of complexity that makes the full picture extremely difficult to describe and understand. Vulnerable groups, for example groups whose first language is not English and who may be the target of police surveillance, may have particular difficulty. It is essential that the government ensures that appropriate levels of legal advice and support are available.

  6.4  The interaction between the overall legal framework and the statutory and non-statutory data sharing gateways between department, agencies, local authorities and the private sector, appears to be opaque even to government.

  6.5  The quality of administrative safeguards for data use appears to be unknown. Technical safeguards, apart from technical security safeguards, do not appear to exist.


  7.1  The problems flowing from the use of private databases, data-sharing and some lack of clarity in legal and technical safeguards are exacerbated where data is used for profiling.

  7.2  Profiling in order to identify possible criminal activity is objectionable to the extent that it makes everyone a suspect. It is dangerous in its reliance on potentially inaccurate or out-of-context data and its use of unprovable algorithms. It tends towards a reversal of the normal burden of proof in both civil and criminal law.

  7.3  Profiling may also take place secretly. Individuals may be treated differently or disadvantaged for reasons they are unaware of and do not have the opportunity to challenge. In the private sector this may involve individuals with high net worth receiving quicker, more personalised, service than others. This has no place in public administration.


  8.1  There may be a good argument for giving the Information Commissioner additional powers and resources to monitor abuses in relation to the collection and use of data.

  8.2  However, the numbers of databases and the detailed level of review required in order to identify abuses, may suggest that however well-resourced, no central organisation could adequately monitor abuse.

  8.3  A requirement for independent data audits for government data bases and for private sector databases used by departments and agencies could be introduced. These could be made published annually. The Information Commissioner might undertake further investigation where departments or agencies failed an audit.

  8.4  The case for rationalising wider oversight arrangement which currently include the Intelligence Services Commissioner, the Interception of Communications Commissioner, the Chief Surveillance Commissioner, the Information Tribunal, the Information (National Security) Tribunal and the Investigatory Powers Tribunal should be considered.


  9.1  There needs to be a more thoroughgoing and informed public debate about what the right balance between security, efficiency and individual privacy should be. A review of the existing, labyrinthine, laws on surveillance and data sharing would be valuable and might lead to improvements to ensure that when mistakes are made, or when unwarranted intrusions into personal privacy occur, effective redress is available. It might also be appropriate to introduce mandatory administrative processes for properly assessing the impact on individual privacy of proposed initiatives.

  9.2  Privacy Impact Assessments (PIAs) to be carried out as part of the legislative process could help to ensure a systematic approach to privacy questions. They might well involve multi-disciplinary expertise and we would anticipate that solicitors with relevant experience could play a significant part. If the outcome of the assessment was made public this would encourage welcome public debate.

April 2007

previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2008
Prepared 8 June 2008