Select Committee on Home Affairs Written Evidence


Supplementary Memorandum submitted by the Information Commissioner

  1.  The Information Commissioner has responsibility for promoting and enforcing the Data Protection Act 1998 and the Freedom of Information Act 2000. He is independent from government and promotes access to official information and the protection of personal information. The Commissioner does this by providing guidance to individuals and organisations, solving problems where he can, and taking appropriate action where the law is broken. The comments in this additional evidence are primarily from the data protection perspective.

  2.  The Commissioner is grateful for the opportunity to provide additional written evidence as the Committee reaches the final stages of the inquiry. In this evidence he sets out the progress made on initiatives he referred to in his earlier evidence and included in his "Surveillance Society Action Plan", reports on other developments taken forward by his office and addresses relevant points raised by other witnesses in their oral evidence sessions.


  3.  In May the Commissioner issued an invitation to tender, inviting bids from those interested in carrying out research into the experience of using Privacy Impact Assessments (PIA) in other countries, the lessons to be learned from their experiences and the development of a PIA methodology, including a handbook to be used by those wishing to undertake a privacy impact assessment in the UK. The research contract was awarded to a consortium led by Loughborough University and the results of the research project were received on the 31 October 2007. The project deliverables are now being examined and will be published at the Commissioner's planned conference entitled "Surveillance Society: Turning Debate into Action". Further details of this are set out below.

  4.  In the oral evidence session of Tuesday 12 June a call was made for tougher regulation of IT suppliers and providers.[246] As a similarly useful measure, the Commissioner would welcome a commitment to use privacy impact assessments as part of the OGC Gateway Review Process, thus embedding data protection and wider privacy considerations into the process of setting up any new and substantial government IT system. Not only would this help to ensure that adequate and relevant consideration is given to privacy from the outset, it would also help achieve compliance with the data protection legislation and would go some way towards fostering public trust in the use of their personal information. This approach has been adopted in other jurisdictions overseas and the Commissioner feels there is much merit in adopting a similar approach in the UK.

  5.  The Commissioner will send a copy of the final PIA research, including an assessment of international experience and the PIA handbook for use in the UK to the Committee as soon as a final version is settled ready for publication and in advance of the general launch in December.


  6.  Another research project currently being undertaken and its results published at the Conference in December is into "Public Perceptions of the Surveillance Society". This research was commissioned in September and the final report is being drawn up by researchers at the present time. Research into public attitudes forms an important aspect of informing our future work in this area. The nature of our work is such that we spend a large amount of time speaking to and meeting with public and private sector organisations about the potential impact of the surveillance society but it is much more difficult to engage with the general public about their perceptions and experiences of it. The research we have commissioned is therefore to explore how aware people are of the different forms of surveillance that intrude into their everyday lives, what their concerns are, what they find acceptable and unacceptable, what they expect and don't expect and what safeguards they think are in place to protect them from unwarranted collection and use of their personal information.

  7.  Whilst initial findings point towards a general lack of awareness and concern about surveillance society issues amongst the general public, we are keen to try to discover where people feel that the boundaries should be drawn. We are also trying to find out whether they are content with the amount of surveillance taking place in the UK and, if so, whether this is because they feel that the regulations and safeguards surrounding the collection and use of personal information are sufficiently robust to negate any risks to them as individuals.

  8.  The Commissioner will send a copy of the final report to the Committee as soon as one is available and in advance of the general launch in December.


  9.  On 11 December 2007 the Commissioner will be hosting a conference following up on the 2006 International Data Protection and Privacy Conference at which he set out to raise awareness about and provoke discussion on the advance of the surveillance society. The December conference—Surveillance Society: Turning Debate into Action will be held at the Bridgewater Hall in Manchester. The Commissioner will use the conference to launch the results of his research projects into privacy impact assessments and public perceptions of the surveillance society. The conference will also look at the technology available to help protect privacy and any necessary changes to the legal and policy framework from a privacy protection point of view. The conference will also examine the practical experience of a government department as it tries to address privacy concerns arising from a major initiative with the Department for Transport outlining its efforts to develop a privacy friendly road pricing scheme.

  10.  As the title suggests the intention of the conference is to show some practical examples of where action can be or has been taken to address some of the privacy and data protection concerns that the surveillance society raises. Those attending will be provided with information on the privacy impact assessment handbook and will hear how privacy impact assessments operate in other countries.


  11.  On 10 October 2007, the Commissioner published his Framework Code of Practice for Sharing Personal Information. The Framework explains how organisations can set up their own arrangements to ensure that where personal information is shared, good practice is adopted. It helps organisations decide when to share information and what information to share, highlights the consequences of sharing and deals with the issue of consent. It is designed to be flexible, enabling organisations to adopt it wholesale or to extract some of its content and integrate this into existing policies and systems. The Commissioner will also be able to endorse the codes of practice created by those using the Framework, subject to him being able to audit and inspect the arrangements.

  12.  The final version was produced after extensive liaison with relevant stakeholders, both before and during the official consultation period.

  13.  This is the first time that the Commissioner has produced such a "framework" code, to be adapted and used to suit the needs of those involved in a particular information sharing operation. It reflects the fact that the range of situations in which information sharing can take place is so broad that trying to develop a single prescriptive code, written by the Information Commissioner to be used in all situations, would be unworkable.

  14.  A copy of the code is attached at Annex A (not printed).

  15.  The issue of information sharing still continues to provoke wider interest and the Prime Minister has recently announced that the Commissioner and Dr Mark Walport of the Wellcome Trust have been asked to conduct a review of information sharing.

  16.  The review will look at how information sharing policy should be developed in the future. As part of this, the review may make recommendations on potential changes to the way the Data Protection Act operates as well as setting out recommendations on the powers and sanctions that the Commissioner has available. The final report is due to be published in the first half of 2008.

  17.  The review terms of reference are attached at Annex B (not printed).


  18.  The Commissioner first published his CCTV Code of Practice in 2000 and it has proved to be a popular and useful piece of guidance. However, advances in the use of CCTV, both in terms of the number and prevalence of CCTV cameras and the technology available, have meant that some of the references were beginning to become out of date. In order to remain useful, the code needed to be revised to take into account those advances and also to take into account the needs of those operating the systems.

  19.  Workshops were held with the most relevant stakeholders in this field which helped to determine where they felt revised and/or additional guidance would be of use. The revised code was drawn up and went out for consultation in August. The consultation period ended on October 31 and the Commissioner expects the updated version to be launched in January 2008.

  20.  Apart from addressing the advances in technology made since the CCTV code was first launched, the new code also amplifies the Commissioner's position with regard to the use of CCTV in particular situations such as recording conversations. It also requires those considering introducing a system to consider the other, less privacy intrusive options before committing to the use of cameras.

  21.  A copy of the consultation draft is attached at Annex C (not printed) and the final revised version of the CCTV Code of Practice will be sent to the Committee as soon as consultation responses are analysed and a final version agreed.

  22.  The Home Office and the Association of Chief Police Officers, who were consulted during the revision of the Code have recently published a "National CCTV Strategy" which also reinforces the need for data protection compliance by CCTV operators and suggests greater supervisory powers for the Commissioner.[247] The Commissioner has agreed to participate in a Programme Board set up to take the Strategy recommendations forward.


  23.  During his oral evidence session, the Commissioner called for a penalty to be introduced into the data protection legislation for situations where there is a flagrant, negligent or repeated disregard of the requirements of the law. He offered to provide further information about this penalty to the Committee.

  24.  Since the oral evidence session the Commissioner has submitted a draft proposal for changes to data protection powers and penalties to the Ministry of Justice. Once the Commissioner's proposal is finalised a copy will be sent to the Committee.

  25.  The Commissioner would like to see the creation of a criminal offence of knowingly or recklessly failing to comply with the data protection principles so as to create a substantial risk that damage or distress will be caused to any person. He is also seeking a power to inspect personal data to assess whether or not it is being processed in compliance with the Data Protection Act. He believes that the introduction of such penalties and powers would significantly increase the ability of his office to fulfil its commitment to strengthen public confidence in data protection and to take a risk-based approach to regulation.

  26.  The penalty would be linked to a failure, knowingly or recklessly to discharge the duty imposed on data controllers under section 4(4) of the Data Protection Act which states that " . . . it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller". The Commissioner is suggesting an unlimited fine for such offences, not a custodial sentence and a defence that the data controller concerned exercised "all due diligence".

  27.  In terms of powers of inspection, the Commissioner would like to see a broadening of section 54A of the Data Protection Act which relates to the inspection of overseas information systems in which the UK participates such as Europol. He is suggesting that this inspection power should apply to any information system in which personal data are recorded falling within his jurisdiction.

  28.  Allied to the call for a penalty to be introduced for breaches of the data protection principles, the Commissioner believes that consideration should be given to security breach notification obligations in the UK. These are used in other jurisdictions and involve the organisation which is the subject of a breach being obliged to tell those individuals affected by it such as those whose personal information is involved, as well as, in some cases, the regulator. Such obligatory notifications could, if applied sensibly, not only provide protection for individuals but would also help the Information Commissioner to take appropriate action where necessary.


  29.  In the oral evidence session of Tuesday 12 June 2007 it was suggested that data protection officers in government departments should report to the Information Commissioner rather than to the departmental Parliamentary Secretary.[248] It was felt that this would then ensure that they see their job as enforcing the legislation within the department rather than trying to ensure that the department does not fall foul of the Information Commissioner.

  30.  Whilst the Commissioner is not in a position to comment in detail on how government data protection officers currently carry out their roles, it is correct that Directive 95/46/EC from which the UK Data Protection legislation is transposed recognises a role for "in-house" data protection officials particularly in relation to notification arrangements (Articles 18 and 20). Such officials are a feature of other countries' data protection regimes such as Germany. Section 23 of the Data Protection Act implements this provision of the Directive by providing for the appointment of "data protection supervisors". The necessary order to bring this section into effect has never been made but this could provide an opportunity to put in place data protection supervisors in government departments and create obligations and duties as additional safeguards, including duties in relation to the Commissioner.


  31.  Individuals are increasingly sharing information about themselves with others. The growth of social network sites and online blogs raises the prospect of individuals leaving themselves open to increased surveillance. This not only has an impact on privacy, it also increases that individual's risk of becoming a victim of identity fraud in the future. The Commissioner has already taken some steps to try to help individuals reduce the risk of identity fraud through the publication of his well-received personal information toolkit earlier this year. The Commissioner is also in the process of drafting guidance for individuals who are using or thinking of using social networking sites. This guidance will be published in the coming months, once comments have been received from the social networking sites involved.

  32.  The Commissioner's Surveillance Society Action plan does not only concentrate on his own initiatives, it also includes his work responding to the initiatives of others which have surveillance society implications. A significant area of increased state information gathering and analysis is in relation to international travel. The Government now has a well established e-Borders programme and central to this are the information provision and sharing powers in the Immigration, Asylum and Nationality Act 2006. This includes extensive information acquisition and sharing powers for all the UK border control authorities. One of the safeguards put in place to ensure a proper use of these powers is a code of practice on information sharing as required by section 37. The Commissioner has been consulted by the Border and Immigration Agency on a draft and he has made comments that he hopes can be taken into account in the final version before it is laid before parliament.

  33.  The European Commission has also recently announced the intention to establish a framework decision that will lead to all EU member states acquiring passenger name record details of all airline passengers arriving in the EU. This engages substantial privacy concerns and the Commissioner is working with his EU data protection commissioner colleagues to ensure that this proposal is necessary and if so includes the essential data protection safeguards.


  34.  The Commissioner continues to place great emphasis on work aimed to address surveillance society issues involving the use of personal information. He has recently been consulting on his new data protection strategy and a consultation draft is at Annex D.[249] This makes clear the continued commitment towards dealing with the emergence of a surveillance society. This consultation closed on the 28 September 2007 and the largely positive responses are being analysed in detail.

  35.  The Commissioner is focussing work on the practical steps that can be taken to deal with the undesirable consequences of a surveillance society and he has a dedicated stream of activities that continue to be managed through his surveillance society action plan. This work has already made substantial progress and he is committed to forging ahead with initiatives to ensure that individuals enjoy a proper level of privacy and data protection and that their personal information is handled in a way that inspires their trust.

November 2007

246   Q222 Response of Dr Phippen, Lecturer, School of Computing, Communications and Electronics, University of Plymouth. Back

247 Back

248   Q222 Response of Professor Anderson, Professor of Security Engineering, University of Cambridge and Chair of the Foundation for Information Policy Research. Back

249   Not printed. Back

previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2008
Prepared 8 June 2008