Supplementary memorandum submitted by
Dr C N M Pounder
At the end of the oral evidence (26 June), the
questioning turned to what could be done to improve the supervision
of surveillance. As we had run out of time, I thought it useful
to produce a list of improvements that are, in my view, essential
to help maintain public trust if surveillance is to occur.
10 STANDARDS OF
It is my belief that safeguards have to meet
10 "standards of trust" that demonstrate to the public
that their privacy interests are safeguarded and that they can
trust the complete process: from law-making to dealing
with law-breaking. It will be useful to identify these standards
so that any Bill of Rights can accommodate them. They apply to
any activity which involves the processing of personal data, surveillance
or interference by a public body and the standards can be listed
1. Any processing/surveillance/interference
is limited to lawful purposes approved by Parliament.
2. Widely drafted powers or laws are not
used to legitimise extensive function creep without detailed scrutiny
3. Procedures which authorise processing/surveillance/interference
are followed scrupulously.
4. Procedures which authorise processing/surveillance/interference
are separate from procedures related to the doing of the processing/surveillance/interference
5. A complete record of the processing/surveillance/interference
and its authorisation is retained to ensure transparency and accountability
to the system of supervision.
6. Staff involved in the processing/surveillance/interference
activity are fully trained to follow the rules.
7. Any malfeasance can be identified and
individuals concerned suitably punished.
8. The system of supervision is independent
of Government, well financed, and has effective powers of investigation
and can delve into operational matters.
9. The regulator in charge of the supervision
reports to Parliament and can refer matters to Parliament.
10. Full compensation for aggrieved individuals
when things have clearly gone awry.
The thrust of my other written evidence was
that reliance on data protection and human rights law is insufficient.
However, meeting these trust standards in turn requires changes
to Parliamentary procedure, to the Commissioner's powers and to
the individual's level of protection. These additional safeguards
are outlined below.
Parliament has traditionally balanced the public
interest by scrutinising the executive. To assist this:
Parliament should have a mechanism
which allows it to demand any information that relates to the
processing of personal data/surveillance/interference (eg publication
of details or legal advice that explains why there is no breach
of the Article 8; why the European Commission considers the UK's
Data Protection Act to be defective and why the UK Government
says it is not).
Parliament should become involved
in the details of the processing of personal data/surveillance/interference
when matters are referred to it. For example, there are several
Codes of Practice (or parts of Codes) that concern these issues
that the Secretary of State currently lays before Parliament.
These could be subject to consultation with a Commissioner. If
consultation results in agreement the Code can come into effect
without Parliamentary involvement. If agreement is not forthcoming,
Parliament should have to approve the Secretary of State's Code
by positive affirmation. This means that Parliament can explore
the reasons for the disagreement.
Parliament should separate privacy
and security responsibilities. All warrants that concern surveillance
or interference, currently signed by a Secretary of State, should
seek judicial approval. This step would automatically separate
the power to authorise interference from the mechanisms that protect
an individual from unnecessary interference.
Parliament should permit a Select
Committee to take privacy under its remit. Currently such issues
have only been discussed in the narrow context of a Committee's
specialist remit (e.g. child protection and privacy, science and
privacy in relation to the DNA database; Home Affairs and privacy,
etc) with the result that the big picture of how all Government
initiatives impact on privacy has yet to be reviewed.
Select Committees of Parliament
should allow, if they decide, experts in the field to ask questions.
In cases which relate to the scrutiny of public policy towards
privacy, often the devil is in the complex detail of how
surveillance occurs and not on the broad principle of whether
surveillance should occur.
Parliament should insist that
the various Commissioners who have a role to ensure that any surveillance/interference
is proportionate should report to Parliament and not to the Government
Minister that is responsible for the interference. The Commissioners
should also be able to employ security cleared experts to investigate
operational matters where this is needed and a single Commissioner
should deal with all national security issues.
A Commissioner should be able
to insert into any relevant Code of Practice that relates to an
activity concerning the processing of personal data or surveillance
(a) any procedure that establishes
proportionality before any activity is commenced;
(b) the criteria which measures
the success of the activity; the compilation of records that show
that the activity was properly authorised including the statistical
data which can used to demonstrate transparency or that the interference
was justifiable in terms of outcomes from performing the activity;
(c) require a Privacy Impact Assessment
or audit to be undertaken.
A Commissioner should be able
to test Article 8 in the Courts (eg he could be provided an "Article
8 (Incompatibility) Notice" which can test whether a particular
Statutory Instrument or primary legislation is compatible with
Article 8 of the Human Rights Act.
A Commissioner should have effective
powers of investigation, intervention, audit and prosecution that
can extend into operational matters.
A Commissioner should have the
duty to ask for changes to Codes of Practice or Ministerial powers
that, in his view, would rectify a pressing privacy problem. Such
a mechanism could provide, in cases where the Minister disputed
the Commissioner's view for Parliament to refresh its approval
of Ministerial powers or Code of Practice by an affirmative Statutory
Individuals should be granted
a right to privacy of personal data, via the Sixth Data Protection
Principle, which can be enforced by the Information Commissioner.
Individuals should be informed
when their personal data have been lost by an organisation in
circumstances where the data could be used for ID theft. This
obligation could arise by the introduction of a variety of USA
security breach legislation where individuals are informed when
unencrypted personal data are lost. Alternatively the legislation
could specify that when a certain kind of security breach arises,
the organisation has to notify the Commissioner of a security
breach, and then the Commissioner decides whether individuals
should be notified that their personal data have been compromised.