Memorandum by the Information Commissioner
1. The Information Commissioner has responsibility
for promoting and enforcing the Data Protection Act 1998 and the
Freedom of Information Act 2000. He is independent from government
and promotes access to official information and the protection
of personal information. The Commissioner does this by providing
guidance to individuals and organisations, solving problems where
he can, and taking appropriate action where the law is broken.
The comments in this evidence are primarily from the data protection
perspective.
2. The Information Commissioner's understanding
is that the German Presidency of the European Union is giving
priority to achieving the incorporation of the Prüm Convention
into EU law. He also understands that whilst the principle of
availability is still a guiding force, work on the adoption of
a Framework Decision on the exchange of information under the
principle of availability is not proceeding, at least for the
time being. Work on the Data Protection Framework Decision (DPFD)
is still underway, albeit that it is not now the Presidency's
highest priority. Proposals from the Presidency on how the DPFD
might be taken forward are awaited.
3. The Commissioner does not have any fundamental
concerns about the Pruüm Convention itself or its incorporation
into EU law. His principle area of concern is over the direction
that developments in the EU's third pillar are now taking. In
previous evidence to the Committee he has stressed the importance
he attaches to the DPFD. He sees clear advantages in a single
comprehensive data protection instrument for the third pillar.
If framed appropriately it has the potential to provide a simple,
easily understood data protection regime that provides real benefits
to the individuals it is seeking to protect and is easily put
into effect by the law enforcement agencies to which it is directed.
He has been encouraged by the extent to which the Committee have
shared this view.
4. The problem with the Pruüm Convention
is that it is another example of the piecemeal approach to the
exchange of information and associated data protection controls
in the third pillar. So far as data protection is concerned it
will further complicate an already complex picture. Complexity
is neither in the interests of the individuals whose rights and
freedoms are being protected nor of the law enforcement agencies
who have to implement the necessary controls. The Commissioner's
view is that to be consistent with good regulatory practice the
correct strategic approach would be to give priority to the adoption
of the DPFD as a precursor to any further developments involving
the exchange or availability of personal data. To the extent that
incorporation of the Pruüm Convention diverts attention from
progressing the DPFD, it is unwelcome.
5. If the DPFD is eventually adopted the
relationship between its provisions and the data protection provisions
of the Pruüm Convention is unclear. As currently drafted
the DPFD excludes a number of other data protection regimes established
under third pillar instruments such as the Europol Convention.
It is possible that the Pruüm Convention could be added to
the list of exclusions. However it is the Commissioner's understanding
that as part of its proposals for progressing the DPFD the Presidency
intends to propose removal of these exceptions. This would be
welcome from the point of view of clarity and consistency provided
it does not involve any reduction in the level of protection afforded
to individuals.
6. Perhaps the most likely and desirable
outcome, if both the Pruüm Convention and the DPFD are incorporated
into EU law, is that, as discussed in the Commissioner's evidence
on SISII, the DPFD will provide the "lex generalis"
and the Pruüm Convention will provide the "lex specialis".
Thus the general provisions of the DPFD will apply except where
there are more specific provisions (eg in relation to logging
and recording) in the Pruüm Convention. We would not expect
the provisions of the DPFD to be undermined by the Pruüm
Convention. Rather it would "particularise and complement"
the provisions of the DPFD in the specific context of Pruüm
Convention activities.
7. So far as data protection controls are
concerned there is much to be welcomed in the Pruüm Convention
itself. There is no new central database with the attendant risk
and need for supervision that this would bring. The exchange of
DNA profiles and fingerprints is based on a hit/no hit system.
This means that full details are only exchanged once it is clear
that the records in question relate to the same person. Such an
approach is consistent with the aim of "data minimisation".
The data protection provisions apply equally to automated and
to non-automated processing of personal data and includes detailed
rules on logging and recording the exchange of data.
8. The Committee has indicated that it has
a particular interest in the automated searching of DNA and fingerprint
data. The Commissioner is encouraged that the exchange of data
in both cases is initially limited to "reference data"
from which the data subject can not be directly identified. Whilst
it is clear to the Commissioner that this is still an exchange
of personal data the limited extent of this initial exchange is
welcome. However the Commissioner has some concerns over the basis
on which matching will take place. There is no definition of what
is meant by a "match". It is the Commissioner's understanding
that in the UK matching of DNA profiles used to take place on
the basis of six regions of the DNA. Following a case in which
a sample from a crime scene was matched with an individual who
could not in fact have been at the scene of the crime ten regions
are now used for matching.[1]
It is also the Commissioner's understanding that some other EU
member states still use six point matching and this may be the
basis for matching under the Pruüm Convention. This gives
rise to obvious concerns about the reliability of matching. If
matching on less than six points is allowed, for example because
a scene of crime sample is not good enough to yield as many as
six points, the Commissioner's concerns are heightened.
9. Furthermore the Commissioner is aware
of the importance of quality control in DNA profiling. He has
no evidence about the quality of DNA sampling in other EU members
states but is aware that if the Pruüm Convention is adopted
across the EU DNA profiles from the UK will be available to law
enforcement agencies that have very much less experience of DNA
profiling than those in the UK. In this connection it is worth
noting that extending the Pruüm Convention to all 27 EU member
states will mean that its benefits and data become available to
a range of countries with traditions, legal systems and law enforcement
expertise that are very different from those in the seven original
signatory countries. The Commissioner's concern is not to prevent
DNA and fingerprint matching across borders but to ensure that
no-one places any more reliance on an apparent match of DNA or
fingerprints that is scientifically justified. He has in mind
in particular, a case from 2003 when a UK citizen who had never
been to Italy was wrongly arrested for a murder in Italy on the
basis of apparent DNA evidence.[2]
10. Another area of concern arises from
the size of the UK's DNA database. As the Committee will know
the UK has the world's most extensive collection of DNA profiles.
This is an issue on which the Commissioner has frequently passed
critical comment. The database extends not just to those who have
been convicted of offences but also in many cases to those who
have been arrested and to those who have volunteered samples for
elimination purposes. Once held profiles are retained for the
lifetime of the subject. Other EU members states have very much
smaller collections of DNA profiles. For example the Commissioner's
understanding is that in Germany profiles are only held for those
who have been convicted of serious offences. The effect of this
is that, so far as the UK is concerned, the traffic of DNA profiles
is likely to be largely one way.
11. Furthermore the uses to which profiles
may be put may differ from member state to member state. For example
in the UK the technique of familial searching is used whereby
a suspect can be identified though the DNA of family members in
the same genetic line. It is not known how widely the same technique
is used in other member states. Whilst it appears that the provisions
of the Pruüm Convention may not permit familial searching
across borders this is not beyond doubt, particularly as there
is no definition of what constitutes a DNA profile match. This
is though illustrative of how DNA profiles, fingerprints and supplementary
information could be used after transfer in a way that would not
be permissible in the member state of origin. In practice this
may be more of a problem for some other EU member states that
it is for the UK, although the extension of the Pruüm provisions
to all 27 EU member states rather than the original seven signatories
must be borne in mind. In any case there will be a need to check
that making the UK's collection of DNA profiles available under
the provisions of the Pruüm Convention is consistent with
the basis of which the profiles were originally obtained. This
is particularly true of voluntary samples where samples will have
been given on the basis of assurances about their future use.
12. The Information Commissioner would also
like to draw attention to the provisions in Article 39 for data
protection supervision. To the extent that they underline the
importance of such supervision and give powers to supervisory
authorities to make checks on the exchange of data under the Pruüm
Convention that would not otherwise be available to the UK Information
Commissioner's office, they are welcome. The Commissioner's expectation
is that these additional powers would have to be specifically
translated into UK law by amendment to the Data Protection Act.
This is the approach that has been taken in other cases where
deficiencies in the Commissioner's inspection powers have had
to be corrected in order to honour the UK's commitments under
international instruments. An example is the Europol Convention.
13. Another concern is that the Convention
makes it mandatory for supervisory authorities to carry out random
checks on the lawfulness of the supply of data. This clearly has
resource implications for the Commissioner's office. How significant
these are will depend on the extent to which personal data are
exchanged under the Pruüm Convention once all 27 EU member
states are party to it. The main concern though is the principle
involved in placing an obligation on the Commissioner to carry
out specific checks on the processing of personal data. He is
very clear that he should concentrate his limited resources on
addressing processing of personal data that carries a significant
risk of serious harm. This is consistent with good regulatory
practice. Although in reality processing under the Pruüm
Convention might well satisfy this test there is a wider principle
at stake in that placing legal obligations on the Commissioner
to carry out checks in specific areas could deflect him from carrying
out checks in areas that in fact pose greater data protection
risk, unless he has additional resources made available to him.
14. There is also a question about arrangements
for cooperation between data protection supervisory authorities
beyond the requirement of one authority to carry out checks when
requested to do so by another. Although the Commissioner is not
in favour of any disproportionately burdensome cooperation arrangements
there will be a need, particularly once all 27 member states are
involved, to ensure consistency in the application of the data
protection provisions of the Convention, to carry out coordinated
checks and to identify and make recommendations to address any
defects in the legal framework. This is the nature of the role
envisaged for the Working Party that is proposed in Article 31
of DPFD. Implementing the Pruüm Convention in the absence
of the DPFD and without any compensating provisions will leave
an unfortunate gap.
15. Finally the Commissioner draws attention
to Article 44 of the Pruüm Convention. This provides for
the Contracting Parties' competent authorities to conclude agreements
for the administrative implementation of the Convention. The Commissioner's
understanding is that such agreements have been concluded between
the existing Pruüm members. He is therefore unclear as to
whether the UK will simply have to accept these or whether application
of the Convention to the UK will lead to a new set of agreements.
It is through these agreements that a number of areas of uncertainty
and potential data protection concern can be addressed. The Information
Commissioner would expect to be consulted by the Government to
the extent that they are in a position to influence these agreements.
1 March 2007
1 The case of Raymond Easton 1995. Back
2
The case of Peter Hamkin 2003. Back
|