Select Committee on Home Affairs Minutes of Evidence

Examination of Witnesses (Questions 280 - 299)



  Q280  Chairman: Moving on to you, Dr Metcalfe, can I perhaps put the question this way. Should my concern be that somebody will actually find out something about me and do something to me as a result, if you took Dr Forbes, the previous witness, that all my neighbours can watch the CCTV as well as the CCTV control room, or somebody finds out something about by credit record or something and damages me, or is it almost a more philosophical objection that some people would say, "Even if nobody does anything to harm me, I have somehow lost out as a free citizen by the fact that other people have got access to information about me that I would rather they did not have"? Where in our inquiry should we be focusing on the practical damage that can be done to individuals or the philosophical concern that we are less free if other people have our private information?

  Dr Metcalfe: I am sorry to say that you have to focus on both. It is entirely true that you have to focus on the practical, but also, yes, you are harmed, in a way, if the information is stored, even if the information is never actually seen by anyone else, because your own sense of personal privacy is affected by the knowledge that people have access. For example, if I write a diary and I leave it in a room and I am subsequently aware that maybe 10 people have gone through that room and had the opportunity to read my personal thoughts sitting on the desk, maybe none of them did, but already that has had an effect on my personal privacy. If you think about all your personal data as being in that diary and if you think about not merely 10 people passing through that room but, say, all the relevant agencies that have come on to the stage having access, then you have reason to be concerned, and your own sense of personal privacy, which we think has a very important value because it allows us to do so many things that we take for granted as being part of a good life, is affected as a result. There is a chilling effect that comes about in that kind of situation.

  Chairman: When you talk about your diary, I feel very much the same about my blog. Anybody could read it, but nobody seems to bother!

  Q281  Mrs Cryer: Shami, congratulations on your CBE. I just want to take it a bit further from what the Chairman has been saying. I want to ask you all if you accept that there could be real and pressing needs for data sharing, particularly in the light of what happened on 7/7 two years ago and given the fact that we all recognise that the most precious human right is the right to life itself and to keep our bodies intact. Therefore, how do you compare that need for the public to know what is going on and protect our citizens with the overriding consideration for individual privacy?

  Ms Chakrabarti: I think you have to do it on a case by case or policy by policy basis. I think that the principles in the European Convention, and in this country they are older—there is the justificatory principle for interfering with the individual—still work very well. So, rather than balancing these issues at an abstract philosophical level, we would look at a particular policy, or a particular interference, a particular need to match data or to access data. I am assuming you are talking about the law enforcement context or the investigation context possibly by compulsion rather than voluntarily, though in other contexts sometimes voluntary sharing is good enough. You say, "Is this policy, is this measure, is this particular accessing of data truly necessary and proportionate for this?" and it is balance. That is why it is so difficult. If I may say so, that is why Parliament is actually better suited to protecting privacy ( and I think it has got a long way to go) and I hope this is the start of it, than the courts are. In my experience the courts are almost uniquely well qualified for dealing with a situation where what is at stake for the individual is torture or incarceration, and that is being balanced against other factors, but the courts are not best placed where the balance is between two great societal objectives, where the interference with the individual's right is not that great actually. Some would argue that if my DNA is taken from me, for example, when I am arrested for shop-lifting, even though they got the wrong woman and the police apologised to me and sent me on my way, the DNA is now kept forever because someone says one day I might be a terrorist or I might be guilty of shop-lifting, the courts have not so far been very good at conducting that proportionality exercise, but I would hope that because that taking of DNA is as much an issue for hundreds and thousands of people as it is for me individually that Parliament is actually much better suited, and in the future I hope that the debate about privacy and various policies could be really enhanced by greater Parliamentary involvement.

  Q282  Mrs Cryer: Would anyone else like to comment?

  Dr Pounder: Just one comment in relation to trust and trusting in the data sharing arrangements. I think the issue is one of trust, and possibly the risk is the global erosion of trust. The previous speaker, Professor Wessley, said in relation to medical research there was a lack of trust in the system, and that he had experience in people refusing to give consent for medical research. If you look at the data sharing arrangements, all the trusting is from the public. The public has to trust that the data sharing is limited in accordance with the rules, the public have to trust that staff who do the data sharing are properly trained and follow the rules, the public have to trust that the procedures for authorising the data sharing are properly maintained and the public have to trust that Parliament does not enact legislation that provides for function creep. All this trusting is in one direction. What there needs to be, as Shami said, is a strong counterbalance to that public trust. All the trust is coming from the public to the authorities with very little counterbalance, in my view.

  Ms Chakrabarti: Ironically it could manifest itself. If this trust is broken on occasions or generally, it manifests itself, not just in a way that is of detriment to the individual but of great harm to public policy as well. For argument's sake, if there were a health collection of data, and, of course, we have heard from people who care about protecting trust and privacy, your previous witnesses, but if you got to a point where the public no longer trusted the protection of their confidential information that they share with their doctor, people would say less to their doctor, and then, suddenly, you have got a counterproductive policy where you thought you were being so expedient by saying more and more people within the Health Service, etcetera, etcetera, can have access to this data because we are going to do such great research and we are going to help people wherever they are in the country. That all seems very laudable, but if you lose trust, then the woman who has been battered does not confide in her doctor any more. So, it is this very difficult balancing exercise which, as Dr Pounder has said, can also be enhanced by saying information is taken for a specific purpose. We put more robust ethics and laws and practice and culture in place to make sure that there is not just a general free-for-all or a general presumption of sharing where it is it expedient rather than sharing when it is truly necessary and proportionate.

  Dr Pounder: Can I add.

  Chairman: No, I am sorry, to get through the questions, we have got four witnesses, we cannot have everybody having two goes at every answer, so if everybody can be brief and if people have said the main points, please can we move on.

  Q283  Mrs Cryer: We were talking mainly about public authorities and their knowledge of people. Can we move on to private authorities, private concerns, and their accessing and holding information on individuals and, even more complicated, where the functions are contracted out from public authorities to private authorities. Would you comment on those areas about access to private information?

  Mr Russell: I think there are a number of similarities and a number of differences between large databases held by private bodies and large databases held by public bodies. Liberty has concerns or is interested in both but has mainly focused on public bodies, it has to be said. For example, in the context of our concerns about CCTV, that applies both to private bodies and public bodies. I think one of the main differences is this question of consent. In terms of giving information to a private body, it is very much based on consent but actually, in the context of providing information to a public body, it is often compulsory or, if it is not compulsory, it is basically, in order to receive a public service which people are paying for by their taxes, you have to provide that information. I think that is quite a key difference between these two types of database, but, of course, there is a big question as well about informed consent in terms of providing information to private databases and whether people are really aware about the value of what they are providing to those kinds of companies.

  Dr Metcalfe: I think there is a significant problem with private companies in that they are not always motivated by the same issues as the public sector obviously. In fact we received a letter very recently about the use of fingerprinting technology being sold to schools. A number of private security companies are selling schools security systems, whereas you used to be able to access the school library by way of a library card, and, indeed, with school lunches you now can have a fingerprint system. The kids just swipe their fingerprint across a scanner and that is matched against a record of their fingerprints, which are stored. So, you now have private companies holding fingerprint databases of school children. There are, obviously, various legal measures which can apply to that kind of situation, but I think it is a very good example of the way in which technological change is impacting upon personal privacy without very much appreciation of that impact.

  Q284  Chairman: It has been suggested to us that public sector companies are being covered by the ECHR, private sector companies are not being covered by it, and that possibly, going by the recent court ruling last week, for example, if the DWP at some point contracted out its work on investigating incapacity benefit to a private contractor, the private contractor would not be covered by the ECHR provisions. Is that correct, and is that a significant issue to worry about?

  Ms Chakrabarti: Sadly, it is not completely clear. What is clear from, in my view, a very disappointing decision last week is that residential care homes have not been considered to be public authorities, regardless of Parliamentary intention or the vulnerability of the people concerned. The case is confined to that situation, and their Lordships did try to distinguish a number of other potential scenarios, but there is a lack of clarity. You would not be able to say that all public functions that are contracted out are definitely caught; and so there will be parliamentary work to be done. I would argue, on a sector specific basis to be absolutely certain, that where Parliament is allowing local government or central government to contract out a particular service, that Parliament makes the decision, at the time of providing that sector specific legislation, whether it intends the Convention to apply, because I do think it could be an important safeguard.

  Mr Russell: Can I give you an example of where this particular issue is arising in a bill that is before Parliament at the moment? It is the Serious Crime Bill, and there is a power in there for the Audit Commission to mine data in order to identify potential fraudsters. There is a power in that bill for the Audit Commission to subcontract the power to do that data-mining, this kind of mechanical, computerised fishing expedition, to a subcontractor, to a private body. I think what was said is that, given the doubt in the court's mind about whether that body would be covered by the Human Rights Act, Parliament could clarify in the Serious Crime Bill that, for the avoidance of doubt, any private contractor will be covered.

  Dr Pounder: Could I quickly add on this point. The Data Protection Act has its concept of a data controller. The data controller is the person who has the statutory duty and if somebody contracts out delivery of the statutory duty, the delivery of service to a data processor, I think the data controller would still be in control of the data. That is my own view of it.

  Chairman: That is a very useful comment. We can rehearse current issues around it.

  Q285  Ms Buck: Can we pursue this issue of the difference between the approach of the private sector and the public sector, and just to ask, particularly Dr Pounder, but others may have a view, about what could be done. If we assume that the consent element in the private sector is a strength in terms of data protection, what could be done within the public sector systems to, if not exactly follow down that line, perhaps for some of the reasons we heard from the earlier witness, to try as much as possible to build in that kind of informed consent? What would be the systems requirements and how feasible is it?

  Dr Pounder: It depends on what you are doing. The previous witnesses said something about the police and consent which personally I did not think was quite right. I cannot see the police seeking consent for anything. If you have a statutory duty you do not need to seek consent, end of argument. What you can build in, in certain circumstances, is the right to object to the processing of personal data. So, in the private sector body, say, for example, I do not like Tesco. I have consented to Tesco processing my personal data. I am able to withdraw consent quite easily, for example, in relation to marketing or, possibly, in relation to their databases that look into my sales and purchases. So, for some areas of data sharing in the public sector, where there is a statutory gateway that permits the sharing but the sharing does not involve, say, for example, law enforcement, that kind of area, you could have an easy right to object to the processing. When the UK Government implemented the right to object in the Directive they implemented it in the narrowest possible terms, and that could be broadened. I am thinking particularly, for example, of the facilities in the identity card legislation that allows for disclosures for efficient and effective delivery of public services. You could have a right to object there.

  Q286  Ms Buck: Having listened to those witnesses, particularly on health, to what extent do you accept that there is a tension between public good, in terms, for example, of the benefits of using accurate epidemiological data, and the kind of protection and the potential right to opt out or to change data?

  Dr Metcalfe: I think a very good example is the police DNA database, because we have already seen applications being made by medical researchers to use that information; and it is all very well to say that the information is being stored for one particular law enforcement purpose but, as we know, the definition can go very broadly, and so you might say that the storing of DNA for a law enforcement purpose means that it should only ever be used in relation to a specific crime and a specific forensic investigation, but what we find happening is that medical researchers will go along to the police database and say, "We are interested in the idea of perhaps a gene for criminals. Can we do the speculative search in relation to your database to see if there is a link between, say, for example, people with red hair and criminal behaviour and potentially, given the breadth of the scope of the law enforcement purpose, that could actually fall within it. Obviously the police DNA database has its own regulatory framework and there are high ethical standards in relation to medical research, but I am not going to say it is impossible. I know that medical searches have already been approved in relation to it.

  Ms Chakrabarti: There comes a point, I think, where you really do need to start saying: is the Information Commissioner well-resourced enough? Does he have enough powers to really police even the existing Data Protection Act, and you have to say, given all the possibilities that we have at the moment and which are coming, Parliament is going to have to take a more robust role because there is a tension, there will be a tension at times, and I am not going to say that the previous witnesses are all wrong about the enormous potential benefits, but someone has got to make that judgment. When they say the normal paradigm has been consent or anonymity but that paradigm has to change, I would argue that it is you and your colleagues who should be conducting that judgment ultimately on behalf of your constituents, and, frankly, if that kind of paradigm is going to be ignored on occasion because they are going to cure cancer, then I think maybe there should be a specific bill and there should be a robust parliamentary debate. Generally speaking, law enforcement and the state have powers of compulsion, but in return there has been greater accountability. That is generally the trade-off. The private sector has generally been taking information by consent and there is less accountability. The lines between the private and public sector are increasingly merging to the point where I am not even sure the distinction is that helpful. The real question is the purpose for which the interference is taking place, who sanctions the interference and what are the protections against abuse?

  Q287  Ms Buck: A last question on that really, which is, I think, particularly for Dr Pounder. What about the scope for actually changing and adding to data in a way that is theoretically possible, although I suspect in practice it is not quite as easy as that, to change data on your credit rating? To what extent should it be possible within public databases to actually amend and correct data?

  Dr Pounder: There is specific legislation (the Consumer Credit Act) that permits that. In relation to the NHS discussion that we had, the NHS Act 2006 allows the disclosure of medical records without patient consent, subject to the Patient Information Advisory Group giving permission. I was a bit puzzled about why the medical researchers do not use the statutory routes that are available to them. In relation to public and private sector merging, what I would say is if you look at, say, the credit reference agencies—that is private data—credit reference agencies collect a whole pile of transactions from the banks, the telecommunications companies providing data to the authorities on a regular basis, the public and private sector is merging—. The barrier is not there in large databases. I think Shami is right, you have got to treat the whole thing case by case.

  Q288  Mr Winnick: Liberty and JUSTICE, in particular, the paper we received from Liberty, paragraph 12, the final sentence of that paragraph states, "There is growing public unease about the extent of the surveillance society." What evidence do you have of such public unease?

  Ms Chakrabarti: I am going to call on Mr Russell to answer that, but can I apologise at the outset for the author of this evidence not being here. Gareth Crossman is our privacy expert, he will publish a report later in the year, but I am afraid that the rights of privacy and family life seem to allow people to take personal holidays when they are working at Liberty. I did take advice on this.

  Chairman: We will hold you collectively to the evidence, I am sure.

  Q289  Mr Winnick: Mr Russell what evidence do you have?

  Mr Russell: First of all the anecdotal evidence is that we do receive hundreds and hundreds of queries from the press, and I suspect that you receive hundreds of letters through your mail bags about privacy type issues, but it is definitely something that we receive a lot of mail on.

  Q290  Mr Winnick: Mr Russell, can I interrupt you. I do not know about my colleagues; I cannot recall in recent times a single letter from constituents complaining about lack of privacy. I am being the devil's advocate, because to a large extent, as often with Liberty and JUSTICE, I intend to take the same view as you, but my job, like my colleagues, is to cross-examine you and find evidence for your statements. When you say there is great unease, that everyone is trembling in our constituencies that their privacy is being invaded, pray, give us some evidence.

  Mr Russell: There has been some limited polling done on this, and there was an article at the end of last year in the Telegraph with some YouGov Survey and that said that 78% of people felt that they lived in a surveillance society. Only 2% thought, for example, that the Government could be trusted to run an ID card scheme which did not contain serious errors. Fifty-two per cent were fairly unhappy, or very unhappy, at the idea that personal data could be recorded on government databases. So there is some data. One of the things that we will propose and will consider in this report to be published later in the year is the idea that more polling needs to be done, more information needs to be done about public attitudes to surveillance, but there is some suggestion in this limited data that there are public concerns.

  Q291  Mr Winnick: I am going to ask you this question, Mr Russell. If there is such concern, why is it that, not only perhaps my colleagues have a different sort of post bag, but if I have not received such correspondence and my constituents, certainly those who write letters, are not usually reluctant to express their point of view, I get quite number of letters of a different kind asking, in fact, for CCTV cameras. Of course they take the view (perhaps it is exaggerated) that CCTV cameras, in the view, presumably, of the large majority of people in this country, play some part in undermining criminality. If there is such a feeling of concern, why do I receive letters along the lines I have just indicated?

  Ms Chakrabarti: In my experience it is extremely dangerous for Liberty to fall into the trap that you are setting, which would be to suggest that general elections are going to be won or lost on CCTV. We are not in a position to argue that. Of the issues that people write to us about, that is already a more limited class. People do not ask us to build a Health Service for them, etcetera. It does seem to be a very high concern. When MPs write to us, which they do as well, to ask for help, on many occasions they are writing to us with concerns about fingerprinting in schools, DNA and so on. It may be a healthy minority of the public. I do not think that there is going to be a revolution about CCTV, but CCTV is really interesting. There is an interesting cultural point if you compare Britain to other European countries, because even in as far as privacy interferences go, there are big cultural differences about which particular interference people are concerned about. In Germany or other parts of the Continent you put a CCTV camera in the wrong place and there literally will be riots, and may be that is the non-democratic past. As a result, the authorities go through a much more rigorous process of community consultation and analysis before they decide where to place cameras. They put them up for the October Fest in Munich because they are expecting anti-social behaviour and trouble. At the end of the festival they take the cameras down. In Britain we seem to have had a much higher tolerance of lots and lots of cameras that seem to make a lot of people comfortable, but we still have concerns that from an efficacy point of view having lots of cameras everywhere, many of them not particularly well looked at or maintained, is not necessarily the best use of public money but also it is largely unregulated. Mr Denham made the point that you would feel better about the cameras if you thought that the people who were operating them were properly trained and properly recruited. That is not always the case, and it is not really regulated as an industry. I am not going to sit here and say that every single CCTV camera that has ever been erected is a complete violation of human rights, but I do think proportionality has a lot to contribute.

  Q292  Mr Winnick: Next time I receive letters about that I will bear in mind your comments. Dr Metcalfe, do you believe on behalf of JUSTICE that there is a large feeling in the country that we are on the verge of 1984, big brother and the rest?

  Dr Metcalfe: I think there is public unease. I do not think there is enough. There should be more public unease.

  Q293  Mr Winnick: There should be more, but it does not exist at the moment.

  Dr Metcalfe: There is public unease. We get the same letters and emails and telephone calls that Liberty get inviting us to take up concerns. Generally speaking, we go along, we have our club card points, we have our credit cards, we walk along the street, we are monitored by CCTV and we really do not think about the impact these things have on our personal privacy. Maybe someone is arrested. It is a case of mistaken identity, but someone makes a complaint about them being, say, a sex offender. They are acquitted or maybe charges are not even brought, and they think nothing of it until the next time they try to apply for a job working with children, and then they find they cannot because they have failed the child protection check because of the fact they have been arrested in relation to a sex offence means that that information has to be disclosed. That is the point at which people recognise that personal privacy has some importance. I am not saying for a moment that that kind of information should not be disclosed, I am saying that we do not have very much appreciation of the way in which information is transferred, even with our consent, because we all tick the box on the credit card form, not being aware that it says, "This information may be transferred and shared with other third parties", but we never fully appreciate, until we start receiving marketing letters from other people on the credit card list, how precisely that information is being used. So there is public unease—a lot of issues, like, for example, fingerprinting in schools that came to our attention by way of a letter—but is there enough? No, there is not.

  Q294  Mr Winnick: Can I put this question to Dr Pounder. Is there a contradiction between what we were just dealing with, the concern and how far it is extended regarding intrusion into private lives, and the fact that an increasing number of the public seem to take what could be described as a remarkable casual attitude to publishing large amounts of personal data about themselves? For example, FaceBook or MySpace websites. For all we know, on Mr Denham's blog he might be openly speculating what sort of job he is likely to be offered later this week!

  Dr Pounder: People have their own view of privacy. Lots of people are ex-directory; lots of people are not ex-directory. Some people when they fill out an application form tick the box before filling in the form. If people want to put their personal information on the Internet, then, basically, that is them giving permission, but coming back to the point here—

  Q295  Mr Winnick: Pursuing that for a moment, it does demonstrate—I do not do it myself—the fact that there seem to be so many people, perhaps younger people, putting such information on the websites which I have mentioned. It does not seem me to express a fear that their personal privacy is in some way being invaded.

  Dr Pounder: Well, they take the risk. Whether they know the risks, I do not know, but coming back to the point here—seriously, it has to be faced—there have been 20,000 complaints to the Information Commissioner last year.

  Q296  Mr Winnick: How many?

  Dr Pounder: Twenty thousand in the annual report. The annual report also has a tracking survey for privacy that picks up Liberty's issues. You are already having people thinking of the "Big Opt-out" in relation to the Summary Care Record of the NHS, you have people, in a sense, questioning (and I am sure you have had this) why the police have DNA data on somebody who has not committed a crime, you have even got people questioning the electronic tag on their rubbish collection. If that is not concern about surveillance, I do not know what is.

  Ms Chakrabarti: To interrupt—

  Chairman: No, we are not going to have two attempts at the question. Can we move on?

  Mr Winnick: I assure you, Dr Pounder, I share your view, although it might not appear to be in my question.

  Chairman: Meanwhile, I am composing 10 pictures of my favourite members of the Select Committee! Carry on, Mr Winnick.

  Q297  Mr Winnick: I am sure I would be foremost. Dr Metcalfe, JUSTICE, you argue that the interests of the private individual and public good are not opposed—this is the point of view you have expressed—but is not the job for parliamentarians somewhat different, a question of personal liberty versus the common good, and trying, as far as we are concerned, to reach a balance between the two?

  Dr Metcalfe: The point I was trying to make, and it was probably the most philosophical section of our evidence, is that personal liberty is ultimately part of the common good, that we benefit from having privacy, we benefit not merely as individuals in having privacy, we benefit as a society: because people do things in their private space, in their private time, and the benefits from that flow on to society as a whole. You could give the example of a writer. We would not have much of the great literature that we have today if, say, all our great writers thought that everything that they wrote down was likely to be under surveillance, for example. It was just a very abstract philosophical point about the way in which privacy exists, not only for the individual, but also for the common good, and that we should be very careful about the impact of new technologies that threaten that, and I think MySpace and FaceBook are very good examples. It is great that we have these new communication networks, but I do not actually think that lot of young people think very clearly ahead about the way in which their personal data could be disclosed and could be used, in the same way that young people do not think ahead about an awful lot of things, like their educational choices and how much they drink on a Friday night. So, in the position of responsibility that Parliament is in, we need to establish greater safeguards to ensure that other bodies, other agencies, other companies take responsibility as well.

  Q298  Mr Winnick: Presumably that is Liberty's point of view?

  Ms Chakrabarti: Absolutely. You were all elected in secret ballots and the concept of a secret ballot is essential to free elections. Without this right, even in the human rights community, sometimes regarded as a bit low-level, a bit trivial—it is not torture, it is not arbitrary detention—you cannot have free elections, freedom of thought, conscience and religion, freedom of speech in some circumstances without that little bit of personal space and respect for it. I completely agree with Eric on the young people and the FaceBook point. The threats do not just come from the Government or big business; if we are not careful we will rear a generation of young people who have not really known the value of privacy as part of dignity, as part of respect. People can take pictures of each other with their mobile phones; they put pictures of their girlfriends on Internet in states of undress. We as citizens, if you do not help us to resurrect the importance of privacy and dignity, could be a great enemy to each other in relation to this value.

  Q299  Patrick Mercer: Turning now to automated data exchange and Shami Chakrabarti, this is for you, please: do you think that the creation of databases sometimes provides an easy or a lazy solution to problems that actually require better communication and co-ordination between responsible professionals?

  Ms Chakrabarti: Yes, I do. That is a very helpful and leading question, but, yes, I do. At Liberty we try to take a balanced view of these issues. We are not against all databases, how could we be, let alone all automated databases, but sometimes, we would argue, when something bad happens it is easy to say that the answer, for example, to a Climbié situation is to build an ever bigger database, whereas in the specific tragic case of Victoria Climbié it was not the lack of a data entry of every child in the country, a lot of bad things happened to that girl before she came to her tragic end and people did not communicate about the specific. Obviously, sometimes when you are looking for a needle in a haystack, it has been said many times before, do not build an ever bigger haystack where you increase the risks of accidents, and so on and so forth.

previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2008
Prepared 8 June 2008