Supplementary Memorandum submitted by
the Information Commissioner
1. The Information Commissioner has responsibility
for promoting and enforcing the Data Protection Act 1998 and the
Freedom of Information Act 2000. He is independent from government
and promotes access to official information and the protection
of personal information. The Commissioner does this by providing
guidance to individuals and organisations, solving problems where
he can, and taking appropriate action where the law is broken.
The comments in this additional evidence are primarily from the
data protection perspective.
2. The Commissioner is grateful for the
opportunity to provide additional written evidence as the Committee
reaches the final stages of the inquiry. In this evidence he sets
out the progress made on initiatives he referred to in his earlier
evidence and included in his "Surveillance Society Action
Plan", reports on other developments taken forward by his
office and addresses relevant points raised by other witnesses
in their oral evidence sessions.
3. In May the Commissioner issued an invitation
to tender, inviting bids from those interested in carrying out
research into the experience of using Privacy Impact Assessments
(PIA) in other countries, the lessons to be learned from their
experiences and the development of a PIA methodology, including
a handbook to be used by those wishing to undertake a privacy
impact assessment in the UK. The research contract was awarded
to a consortium led by Loughborough University and the results
of the research project were received on the 31 October 2007.
The project deliverables are now being examined and will be published
at the Commissioner's planned conference entitled "Surveillance
Society: Turning Debate into Action". Further details of
this are set out below.
4. In the oral evidence session of Tuesday
12 June a call was made for tougher regulation of IT suppliers
As a similarly useful measure, the Commissioner would welcome
a commitment to use privacy impact assessments as part of the
OGC Gateway Review Process, thus embedding data protection and
wider privacy considerations into the process of setting up any
new and substantial government IT system. Not only would this
help to ensure that adequate and relevant consideration is given
to privacy from the outset, it would also help achieve compliance
with the data protection legislation and would go some way towards
fostering public trust in the use of their personal information.
This approach has been adopted in other jurisdictions overseas
and the Commissioner feels there is much merit in adopting a similar
approach in the UK.
5. The Commissioner will send a copy of
the final PIA research, including an assessment of international
experience and the PIA handbook for use in the UK to the Committee
as soon as a final version is settled ready for publication and
in advance of the general launch in December.
6. Another research project currently being
undertaken and its results published at the Conference in December
is into "Public Perceptions of the Surveillance Society".
This research was commissioned in September and the final report
is being drawn up by researchers at the present time. Research
into public attitudes forms an important aspect of informing our
future work in this area. The nature of our work is such that
we spend a large amount of time speaking to and meeting with public
and private sector organisations about the potential impact of
the surveillance society but it is much more difficult to engage
with the general public about their perceptions and experiences
of it. The research we have commissioned is therefore to explore
how aware people are of the different forms of surveillance that
intrude into their everyday lives, what their concerns are, what
they find acceptable and unacceptable, what they expect and don't
expect and what safeguards they think are in place to protect
them from unwarranted collection and use of their personal information.
7. Whilst initial findings point towards
a general lack of awareness and concern about surveillance society
issues amongst the general public, we are keen to try to discover
where people feel that the boundaries should be drawn. We are
also trying to find out whether they are content with the amount
of surveillance taking place in the UK and, if so, whether this
is because they feel that the regulations and safeguards surrounding
the collection and use of personal information are sufficiently
robust to negate any risks to them as individuals.
8. The Commissioner will send a copy of
the final report to the Committee as soon as one is available
and in advance of the general launch in December.
9. On 11 December 2007 the Commissioner
will be hosting a conference following up on the 2006 International
Data Protection and Privacy Conference at which he set out to
raise awareness about and provoke discussion on the advance of
the surveillance society. The December conferenceSurveillance
Society: Turning Debate into Action will be held at the Bridgewater
Hall in Manchester. The Commissioner will use the conference to
launch the results of his research projects into privacy impact
assessments and public perceptions of the surveillance society.
The conference will also look at the technology available to help
protect privacy and any necessary changes to the legal and policy
framework from a privacy protection point of view. The conference
will also examine the practical experience of a government department
as it tries to address privacy concerns arising from a major initiative
with the Department for Transport outlining its efforts to develop
a privacy friendly road pricing scheme.
10. As the title suggests the intention
of the conference is to show some practical examples of where
action can be or has been taken to address some of the privacy
and data protection concerns that the surveillance society raises.
Those attending will be provided with information on the privacy
impact assessment handbook and will hear how privacy impact assessments
operate in other countries.
11. On 10 October 2007, the Commissioner
published his Framework Code of Practice for Sharing Personal
Information. The Framework explains how organisations can set
up their own arrangements to ensure that where personal information
is shared, good practice is adopted. It helps organisations decide
when to share information and what information to share, highlights
the consequences of sharing and deals with the issue of consent.
It is designed to be flexible, enabling organisations to adopt
it wholesale or to extract some of its content and integrate this
into existing policies and systems. The Commissioner will also
be able to endorse the codes of practice created by those using
the Framework, subject to him being able to audit and inspect
12. The final version was produced after
extensive liaison with relevant stakeholders, both before and
during the official consultation period.
13. This is the first time that the Commissioner
has produced such a "framework" code, to be adapted
and used to suit the needs of those involved in a particular information
sharing operation. It reflects the fact that the range of situations
in which information sharing can take place is so broad that trying
to develop a single prescriptive code, written by the Information
Commissioner to be used in all situations, would be unworkable.
14. A copy of the code is attached at Annex
A (not printed).
15. The issue of information sharing still
continues to provoke wider interest and the Prime Minister has
recently announced that the Commissioner and Dr Mark Walport of
the Wellcome Trust have been asked to conduct a review of information
16. The review will look at how information
sharing policy should be developed in the future. As part of this,
the review may make recommendations on potential changes to the
way the Data Protection Act operates as well as setting out recommendations
on the powers and sanctions that the Commissioner has available.
The final report is due to be published in the first half of 2008.
17. The review terms of reference are attached
at Annex B (not printed).
CCTV CODE OF
18. The Commissioner first published his
CCTV Code of Practice in 2000 and it has proved to be a popular
and useful piece of guidance. However, advances in the use of
CCTV, both in terms of the number and prevalence of CCTV cameras
and the technology available, have meant that some of the references
were beginning to become out of date. In order to remain useful,
the code needed to be revised to take into account those advances
and also to take into account the needs of those operating the
19. Workshops were held with the most relevant
stakeholders in this field which helped to determine where they
felt revised and/or additional guidance would be of use. The revised
code was drawn up and went out for consultation in August. The
consultation period ended on October 31 and the Commissioner expects
the updated version to be launched in January 2008.
20. Apart from addressing the advances in
technology made since the CCTV code was first launched, the new
code also amplifies the Commissioner's position with regard to
the use of CCTV in particular situations such as recording conversations.
It also requires those considering introducing a system to consider
the other, less privacy intrusive options before committing to
the use of cameras.
21. A copy of the consultation draft is
attached at Annex C (not printed) and the final revised version
of the CCTV Code of Practice will be sent to the Committee as
soon as consultation responses are analysed and a final version
22. The Home Office and the Association
of Chief Police Officers, who were consulted during the revision
of the Code have recently published a "National CCTV Strategy"
which also reinforces the need for data protection compliance
by CCTV operators and suggests greater supervisory powers for
The Commissioner has agreed to participate in a Programme Board
set up to take the Strategy recommendations forward.
23. During his oral evidence session, the
Commissioner called for a penalty to be introduced into the data
protection legislation for situations where there is a flagrant,
negligent or repeated disregard of the requirements of the law.
He offered to provide further information about this penalty to
24. Since the oral evidence session the
Commissioner has submitted a draft proposal for changes to data
protection powers and penalties to the Ministry of Justice. Once
the Commissioner's proposal is finalised a copy will be sent to
25. The Commissioner would like to see the
creation of a criminal offence of knowingly or recklessly failing
to comply with the data protection principles so as to create
a substantial risk that damage or distress will be caused to any
person. He is also seeking a power to inspect personal data to
assess whether or not it is being processed in compliance with
the Data Protection Act. He believes that the introduction of
such penalties and powers would significantly increase the ability
of his office to fulfil its commitment to strengthen public confidence
in data protection and to take a risk-based approach to regulation.
26. The penalty would be linked to a failure,
knowingly or recklessly to discharge the duty imposed on data
controllers under section 4(4) of the Data Protection Act which
states that " . . . it shall be the duty of a data controller
to comply with the data protection principles in relation to all
personal data with respect to which he is the data controller".
The Commissioner is suggesting an unlimited fine for such offences,
not a custodial sentence and a defence that the data controller
concerned exercised "all due diligence".
27. In terms of powers of inspection, the
Commissioner would like to see a broadening of section 54A of
the Data Protection Act which relates to the inspection of overseas
information systems in which the UK participates such as Europol.
He is suggesting that this inspection power should apply to any
information system in which personal data are recorded falling
within his jurisdiction.
28. Allied to the call for a penalty to
be introduced for breaches of the data protection principles,
the Commissioner believes that consideration should be given to
security breach notification obligations in the UK. These are
used in other jurisdictions and involve the organisation which
is the subject of a breach being obliged to tell those individuals
affected by it such as those whose personal information is involved,
as well as, in some cases, the regulator. Such obligatory notifications
could, if applied sensibly, not only provide protection for individuals
but would also help the Information Commissioner to take appropriate
action where necessary.
29. In the oral evidence session of Tuesday
12 June 2007 it was suggested that data protection officers in
government departments should report to the Information Commissioner
rather than to the departmental Parliamentary Secretary.
It was felt that this would then ensure that they see their job
as enforcing the legislation within the department rather than
trying to ensure that the department does not fall foul of the
30. Whilst the Commissioner is not in a
position to comment in detail on how government data protection
officers currently carry out their roles, it is correct that Directive
95/46/EC from which the UK Data Protection legislation is transposed
recognises a role for "in-house" data protection officials
particularly in relation to notification arrangements (Articles
18 and 20). Such officials are a feature of other countries' data
protection regimes such as Germany. Section 23 of the Data Protection
Act implements this provision of the Directive by providing for
the appointment of "data protection supervisors". The
necessary order to bring this section into effect has never been
made but this could provide an opportunity to put in place data
protection supervisors in government departments and create obligations
and duties as additional safeguards, including duties in relation
to the Commissioner.
31. Individuals are increasingly sharing
information about themselves with others. The growth of social
network sites and online blogs raises the prospect of individuals
leaving themselves open to increased surveillance. This not only
has an impact on privacy, it also increases that individual's
risk of becoming a victim of identity fraud in the future. The
Commissioner has already taken some steps to try to help individuals
reduce the risk of identity fraud through the publication of his
well-received personal information toolkit earlier this year.
The Commissioner is also in the process of drafting guidance for
individuals who are using or thinking of using social networking
sites. This guidance will be published in the coming months, once
comments have been received from the social networking sites involved.
32. The Commissioner's Surveillance Society
Action plan does not only concentrate on his own initiatives,
it also includes his work responding to the initiatives of others
which have surveillance society implications. A significant area
of increased state information gathering and analysis is in relation
to international travel. The Government now has a well established
e-Borders programme and central to this are the information provision
and sharing powers in the Immigration, Asylum and Nationality
Act 2006. This includes extensive information acquisition and
sharing powers for all the UK border control authorities. One
of the safeguards put in place to ensure a proper use of these
powers is a code of practice on information sharing as required
by section 37. The Commissioner has been consulted by the Border
and Immigration Agency on a draft and he has made comments that
he hopes can be taken into account in the final version before
it is laid before parliament.
33. The European Commission has also recently
announced the intention to establish a framework decision that
will lead to all EU member states acquiring passenger name record
details of all airline passengers arriving in the EU. This engages
substantial privacy concerns and the Commissioner is working with
his EU data protection commissioner colleagues to ensure that
this proposal is necessary and if so includes the essential data
34. The Commissioner continues to place
great emphasis on work aimed to address surveillance society issues
involving the use of personal information. He has recently been
consulting on his new data protection strategy and a consultation
draft is at Annex D.
This makes clear the continued commitment towards dealing with
the emergence of a surveillance society. This consultation closed
on the 28 September 2007 and the largely positive responses are
being analysed in detail.
35. The Commissioner is focussing work on
the practical steps that can be taken to deal with the undesirable
consequences of a surveillance society and he has a dedicated
stream of activities that continue to be managed through his surveillance
society action plan. This work has already made substantial progress
and he is committed to forging ahead with initiatives to ensure
that individuals enjoy a proper level of privacy and data protection
and that their personal information is handled in a way that inspires
246 Q222 Response of Dr Phippen, Lecturer, School
of Computing, Communications and Electronics, University of Plymouth. Back
Q222 Response of Professor Anderson, Professor of Security Engineering,
University of Cambridge and Chair of the Foundation for Information
Policy Research. Back
Not printed. Back