Select Committee on Home Affairs Written Evidence


APPENDIX 45

Supplementary memorandum submitted by Dr C N M Pounder

  At the end of the oral evidence (26 June), the questioning turned to what could be done to improve the supervision of surveillance. As we had run out of time, I thought it useful to produce a list of improvements that are, in my view, essential to help maintain public trust if surveillance is to occur.

10 STANDARDS OF TRUST TO SAFEGUARD THE INDIVIDUAL

  It is my belief that safeguards have to meet 10 "standards of trust" that demonstrate to the public that their privacy interests are safeguarded and that they can trust the complete process: from law-making to dealing with law-breaking. It will be useful to identify these standards so that any Bill of Rights can accommodate them. They apply to any activity which involves the processing of personal data, surveillance or interference by a public body and the standards can be listed as:

  1.  Any processing/surveillance/interference is limited to lawful purposes approved by Parliament.

  2.  Widely drafted powers or laws are not used to legitimise extensive function creep without detailed scrutiny by Parliament.

  3.  Procedures which authorise processing/surveillance/interference are followed scrupulously.

  4.  Procedures which authorise processing/surveillance/interference are separate from procedures related to the doing of the processing/surveillance/interference itself.

  5.  A complete record of the processing/surveillance/interference and its authorisation is retained to ensure transparency and accountability to the system of supervision.

  6.  Staff involved in the processing/surveillance/interference activity are fully trained to follow the rules.

  7.  Any malfeasance can be identified and individuals concerned suitably punished.

  8.  The system of supervision is independent of Government, well financed, and has effective powers of investigation and can delve into operational matters.

  9.  The regulator in charge of the supervision reports to Parliament and can refer matters to Parliament.

  10.  Full compensation for aggrieved individuals when things have clearly gone awry.

  The thrust of my other written evidence was that reliance on data protection and human rights law is insufficient. However, meeting these trust standards in turn requires changes to Parliamentary procedure, to the Commissioner's powers and to the individual's level of protection. These additional safeguards are outlined below.

SAFEGUARDS INVOLVING PARLIAMENTARY PROCEDURE

  Parliament has traditionally balanced the public interest by scrutinising the executive. To assist this:

    —    Parliament should have a mechanism which allows it to demand any information that relates to the processing of personal data/surveillance/interference (eg publication of details or legal advice that explains why there is no breach of the Article 8; why the European Commission considers the UK's Data Protection Act to be defective and why the UK Government says it is not).

    —    Parliament should become involved in the details of the processing of personal data/surveillance/interference when matters are referred to it. For example, there are several Codes of Practice (or parts of Codes) that concern these issues that the Secretary of State currently lays before Parliament. These could be subject to consultation with a Commissioner. If consultation results in agreement the Code can come into effect without Parliamentary involvement. If agreement is not forthcoming, Parliament should have to approve the Secretary of State's Code by positive affirmation. This means that Parliament can explore the reasons for the disagreement.

    —    Parliament should separate privacy and security responsibilities. All warrants that concern surveillance or interference, currently signed by a Secretary of State, should seek judicial approval. This step would automatically separate the power to authorise interference from the mechanisms that protect an individual from unnecessary interference.

    —    Parliament should permit a Select Committee to take privacy under its remit. Currently such issues have only been discussed in the narrow context of a Committee's specialist remit (e.g. child protection and privacy, science and privacy in relation to the DNA database; Home Affairs and privacy, etc) with the result that the big picture of how all Government initiatives impact on privacy has yet to be reviewed.

    —    Select Committees of Parliament should allow, if they decide, experts in the field to ask questions. In cases which relate to the scrutiny of public policy towards privacy, often the devil is in the complex detail of how surveillance occurs and not on the broad principle of whether surveillance should occur.

    —    Parliament should insist that the various Commissioners who have a role to ensure that any surveillance/interference is proportionate should report to Parliament and not to the Government Minister that is responsible for the interference. The Commissioners should also be able to employ security cleared experts to investigate operational matters where this is needed and a single Commissioner should deal with all national security issues.

SAFEGUARDS INVOLVING THE POWERS OF A COMMISSIONER

    —    A Commissioner should be able to insert into any relevant Code of Practice that relates to an activity concerning the processing of personal data or surveillance or interference:

      (a)    any procedure that establishes proportionality before any activity is commenced;

      (b)    the criteria which measures the success of the activity; the compilation of records that show that the activity was properly authorised including the statistical data which can used to demonstrate transparency or that the interference was justifiable in terms of outcomes from performing the activity; or

      (c)    require a Privacy Impact Assessment or audit to be undertaken.

    —    A Commissioner should be able to test Article 8 in the Courts (eg he could be provided an "Article 8 (Incompatibility) Notice" which can test whether a particular Statutory Instrument or primary legislation is compatible with Article 8 of the Human Rights Act.

    —    A Commissioner should have effective powers of investigation, intervention, audit and prosecution that can extend into operational matters.

    —    A Commissioner should have the duty to ask for changes to Codes of Practice or Ministerial powers that, in his view, would rectify a pressing privacy problem. Such a mechanism could provide, in cases where the Minister disputed the Commissioner's view for Parliament to refresh its approval of Ministerial powers or Code of Practice by an affirmative Statutory Instrument procedure.

SAFEGUARDS IMPROVING THE INDIVIDUAL'S LEVEL OF PROTECTION

    —    Individuals should be granted a right to privacy of personal data, via the Sixth Data Protection Principle, which can be enforced by the Information Commissioner.

    —    Individuals should be informed when their personal data have been lost by an organisation in circumstances where the data could be used for ID theft. This obligation could arise by the introduction of a variety of USA security breach legislation where individuals are informed when unencrypted personal data are lost. Alternatively the legislation could specify that when a certain kind of security breach arises, the organisation has to notify the Commissioner of a security breach, and then the Commissioner decides whether individuals should be notified that their personal data have been compromised.

July 2007





 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2008
Prepared 8 June 2008