Surveillance: Citizens and the State - Constitution Committee Contents


CHAPTER 2: Overview of surveillance and data collection

17.  Part One of this chapter explains many of the terms and practices involved in surveillance and the processing of personal data, as well as the principles underlying the current legal and regulatory structure in the UK. Part Two describes the key features of surveillance and the information and communication technology (ICT) that is used by the public and private sectors to monitor individuals. It explains how surveillance and data processing have become prominent features of daily life, focussing primarily on the public sector. Finally, it considers the trends in both the public and the private sectors that arguably pose a challenge to the current system of regulation.

Part One—Key definitions

BACKGROUND

18.  The term "surveillance" is used in different ways. A literal definition of surveillance as "watching over" indicates monitoring the behaviour of persons, objects, or systems. However surveillance is not only a visual process which involves looking at people and things. Surveillance can be undertaken in a wide range of ways involving a variety of technologies. The instruments of surveillance include closed-circuit television (CCTV), the interception of telecommunications ("wiretapping"), covert activities by human agents, heat-seeking and other sensing devices, body scans, technology for tracking movement, and many others.

19.  Surveillance and data collection are features of nearly every aspect of the public sector. The processing of personal data has always been part of public administration, and is essential to effective governance and efficient service delivery. But contemporary uses of surveillance and data processing can be distinguished from those of the past in extent and the intensity with which information is analysed, collated, and used. The growing use of CCTV cameras in public and private places, increased reliance on the interception of communications by the police and security services, and the formation of a national scheme of identity cards, are examples of the expansion of surveillance in the UK. Although this inquiry is less concerned with private sector surveillance, we note that activity in this field is widespread and often at the forefront of developments involving advanced surveillance technology and data processing techniques.[31]

20.  In 2006 the Surveillance Studies Network produced a report for the Information Commissioner's Office (ICO) which said that "where we find purposeful, routine, systematic and focused attention paid to personal details, for the sake of control, entitlement, management, influence or protection, we are looking at surveillance."[32] The collection and processing of information about persons can be used for purposes of influencing their behaviour or providing services.

21.  Recent discussions of surveillance have considered the notion that we are living in a "surveillance society". There are a variety of views. In an interview with The Times newspaper in 2004 the Information Commissioner, Richard Thomas, expressed his "anxiety that we don't sleepwalk into a surveillance society".[33] The Commissioner told us that surveillance was "traditionally associated with totalitarian regimes but some of the risks can arise within a more democratic framework." (Q 2)

22.  Gareth Crossman, the then Director of Policy at Liberty, thought that "now that the language of surveillance society has entered the consciousness, it is useful and appropriate language to use". (Q 221) On the other hand, Mike Bradford, Experian's Director of Regulatory and Consumer Affairs, told us that constant reference to "a surveillance society" only increased public concern, often unnecessarily. (Q 317)

23.  Surveillance is rapidly becoming a more intensive and normal instrument of modern government. This was acknowledged by Tony McNulty MP, the then Minister for Security, Counter-terrorism, Crime and Policing at the Home Office, who told us that surveillance is "today's normality. CCTV, DNA database and a whole range of these other elements are not there as a response to exceptional threats and exceptional circumstances … I think that is routine in the 21st century". (Q 927)

TWO BROAD TYPES OF SURVEILLANCE

24.  Two broad types of surveillance can be distinguished: mass surveillance and targeted surveillance. Mass surveillance is also known as "passive" or "undirected" surveillance. (JUSTICE, p 109, note 20) It is not targeted on any particular individual but gathers images and information for possible future use. CCTV and databases are examples of mass surveillance.

25.  Targeted surveillance is surveillance directed at particular individuals and can involve the use of specific powers by authorised public agencies. Targeted surveillance can be carried out overtly or covertly, and can involve human agents. Under the Regulation of Investigatory Powers Act 2000 (RIPA), targeted covert surveillance is "directed" if it is carried out for a specific investigation or operation. By comparison, if it is carried out on designated premises or on a vehicle, it is "intrusive" surveillance. Targeting methods include the interception of communications, the use of communications "traffic" data, visual surveillance devices, and devices that sense movement, objects or persons.

USES OF PERSONAL DATA

26.  The term "surveillance" is sometimes applied to the collection and processing of personal data. The combined term "dataveillance" covers "the systematic use of personal data systems in the investigation or monitoring of the actions or communications of one or more persons".[34] JUSTICE suggested that a common feature of surveillance was "the use of personal data for the purpose of monitoring, policing or regulating individual conduct." (p 109, note 20) Dr David Murakami Wood, Lecturer at the School of Architecture, Planning and Landscape, University of Newcastle upon Tyne, and representative of the Surveillance Studies Network, said that the use of definitional extremes—which regard all (or at least all unwanted or unjustified) information gathering as surveillance—was unhelpful. He argued that "information gathering with the intent to influence and control aspects of behaviour or activities of individuals or groups would be our working definition." (Q 37)

27.  The term "data use" includes those forms of personal data collection and processing relevant to surveillance as defined in the Data Protection Act 1998 (DPA) and the 1995 European Data Protection Directive 95/46/EC (the Directive) that the DPA transposes into UK law. These documents state that the "'processing of personal data' … shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction".[35]

DATA SHARING

28.  Personal data can be shared in different ways, depending on the technology and information systems used.[36] In the social and health services, for example, data may be placed in a common pool that can be accessed (according to certain rules) by persons either in or connected with the organisation responsible for collecting and storing the information. Data sharing can be conducted between carers, or may follow more complex paths and reciprocal arrangements. The Ministry of Justice told us that data sharing is at the forefront of many state activities in this country. (pp 315-22)

29.  Judgments about when and how much data can be shared require difficult decisions. In Chapter 6 we discuss the complex legal and ethical issues which the Government are currently seeking to address. Although the common law and statutory frameworks (such as those established by the Social Security Fraud Act 2001) may provide legal bases for the sharing of data, agency practices and legal uncertainty have inhibited data sharing in the criminal justice system and in some public services. For example, the Bichard Inquiry into the Soham murders highlighted deficiencies in the sharing of information between social services and the police, and recommended an overhaul of procedures, including the provision of better guidance and a code of practice on information practices.[37] The IMPACT programme for information sharing between police forces implements a number of Bichard's recommendations. (National Policing Improvement Agency (NPIA), p 47)

30.  The 2008 Data Sharing Review Report, by Richard Thomas, the Information Commissioner, and Mark Walport, Director of the Wellcome Trust (the Thomas-Walport Review) states that data sharing of itself is neither good nor bad.[38] The Review opined that the Government's enthusiasm for data sharing has given the impression that they view the practice as an "unconditional good", and that they have paid insufficient heed to corresponding risks and concerns.[39] The Review's recommendations for the better governance of data sharing are considered later in this report.

DATA MATCHING

31.  Data matching is the technique of comparing different databases so as to identify common features or trends in the data. Matching unemployment benefit claimants against employed persons may, for instance, be a way of identifying potentially fraudulent claimants for further investigation.

32.  Similarly, crime scene samples of DNA are frequently matched against the database of DNA samples taken from individuals so as to identify possible suspects. Law enforcement agencies and government have pressed for greater use of data matching to prevent and detect crime, including identity-related fraud.[40]

DATA MINING AND PROFILING

33.  Data mining involves the use of mathematically based analytical tools to detect patterns in large sets of data with the purpose of predicting certain kinds of behaviour, such as the propensity to engage in criminal activity or to purchase particular consumer goods. Profiling is "a technique whereby a set of characteristics of a particular class of person is inferred from past experience, and data-holdings are then searched for individuals with a close fit to that set of characteristics".[41]

34.  In the public sector these techniques may be used, for example, to predict a variety of risk patterns in the population, thereby enabling public services and law enforcement resources to be appropriately focussed. Although this process may enable benefits and social services to be targeted more accurately and effectively, it may arguably lead to discrimination by singling out individuals or social groups for adverse treatment on the basis of incorrect or misleading assumptions.

35.  The use of personal data in data matching and profiling presents challenges to the necessity and proportionality aspects of data protection and human rights legislation. We discuss this further in Chapter 4, paragraphs 122-149.

PRIVACY

36.  There are many definitions and conceptions of privacy.[42] Dr Lee Bygrave, Associate Professor in the Faculty of Law, University of Oslo, took the view that "surveillance, by its very definition, involves a reduction of privacy." However, he argued that it was more difficult to gauge the effect of surveillance on perceptions of freedom, because people can "go around thinking they are free even though they are really in some sort of aquarium." (Q 488) Professor Bert-Jaap Koops, Professor of Law and Technology at Tilburg University Institute for Law, Technology and Society (TILT), argued that since surveillance was "moving towards a paradigm of preventative measures in which you monitor large groups", the privacy of individuals was inevitably diminished because the courts are only involved in rare cases of complaint or where "an odd thing happens". (Q 505) The loss of privacy in some cases may be harmless and may be offset by the benefits of surveillance and data collection.

37.  We consider the issue of privacy in more detail in Chapter 4.

DATA PROTECTION

38.  Data protection laws are often seen as privacy laws by any other name. Many countries have substantially similar laws to our DPA, but call them "privacy" laws and confer the title of "Privacy Commissioner" upon their regulatory official.

39.  The system of data protection in the UK is based on the DPA (see Chapter 4), which sets out the laws governing the collection, use and communication of personal data and ensuring the quality of data. In addition, it sets out rules and establishes a regulatory regime for implementing them. "Data protection" is sometimes regarded as a matter mainly of data security—the physical and administrative safeguarding of personal data once it has been collected. This narrow and somewhat technical view, however, does not do justice to the breadth of data protection law as established by the Directive and the DPA. Data protection also involves limiting access to secure data.

Part Two—Characteristics of contemporary surveillance and data use

40.  In the rest of this chapter we consider the main features of current surveillance and data use in the UK, and examine how existing practices differ from those of the past.

41.  The Surveillance Studies Network identified characteristics of current surveillance practices, including pervasiveness, intensity, speed, interconnection, automation and several others (pp 22-23) on which we report.

THE ROLE OF TECHNOLOGY

42.  Surveillance technology is used by governments and private organisations to achieve specific ends, such as maintaining public order, anticipating and meeting social needs, and responding to market trends and consumer demand.

43.  The role of technology in surveillance is pre-eminent and poses formidable regulatory problems. The Information Commissioner told us that individuals "leave electronic footprints behind with the click of mouse, making a phone call, paying with a payment card, using 'joined up' government services or just walking down a street where CCTV is in operation. Our transactions are tracked, our interactions identified and our preferences profiled—all with potential to build up an increasingly detailed and intrusive picture of how each of us lives our life. This has increased the capability for surveillance of the citizen through data collection." (p 2)

44.  New ICTs enable "ubiquitous computing" or "ambient intelligence" (AmI)[43] to play an increasing role in our lives through the use of embedded devices which can continuously collect and process information. The devices sense movement and monitor how individuals interact with objects such as vehicles and domestic appliances, making it possible to "customise" the use of technology in the home, the workplace, and elsewhere. New technology, which sometimes incorporates biometric devices such as fingerprint readers or iris scans, can aid in care of the elderly and the infirm, or be used to monitor and control offenders. It is difficult to regulate the effects of AmI where it occurs without people's consent or knowledge.

THE IMPETUS BEHIND SURVEILLANCE AND DATA USE

45.  Surveillance and data use are becoming increasingly widespread. National security, public safety, the prevention and detection of crime, and the control of borders are among the most powerful forces behind the use of a wide range of surveillance techniques and the collection and analysis of large quantities of personal data.

46.  The desire for safety is an example. Councillor Hazel Harding, Leader of Lancashire County Council and Chair of the Local Government Association Safer Communities Board, told us that answers to her Council's questions to residents of Lancashire about issues of importance suggested that "the number one issue for people … is to feel safe. I think it is more than something people aspire to; I think it is a basic human need". (Q 784)

47.  The provision of public services of all kinds has become dependent on data collection, sharing, and other related practices. Government activity is dependent on the use of personal data. The economy is fuelled by information processing. Many companies build their businesses around the collection and analysis of data. "Customer-relationship marketing" (CRM)[44] involves "knowing the customer" through intensive surveillance of consumer behaviour.

LARGE-SCALE, ROUTINE PRACTICES

48.  Many surveillance practices are now widespread and routine, with data being collected on the entire population and not just on traditional "suspects". The practices are no longer carried out only by specialist bodies such as the police and border control agencies. Information is frequently stored and used as a matter of normal organisational routine. Liberty argued that whilst the proliferation of CCTV has attracted more observation and comment, arguably the most profound societal shift in the last decade has been the growth in the use of mass informational databases. (p 105)

49.  The National DNA Database (NDNAD) is rapidly growing, and now contains millions of samples taken from individuals and crime scenes. ContactPoint is intended to be a database that stores data on every child in England and Wales. The National Health Service Care Records Service (NHS CRS), a major part of the computerisation project in the NHS, will include a copy of every patient's medical record. The National Identity Register (NIR) will include information on everyone for the purposes of establishing and verifying their identities. The Government gave us many further examples of the use and sharing of personal data elsewhere in the public sector. (pp 323-41)

50.  Other well-established, extensive databases—such as those authorised by statute for the purposes of taxation, employment, education, benefits, social services, vehicle driving and licensing, and law enforcement—have developed over many decades before and after they were listed and described in the Lindop Report on Data Protection in 1978.[45] Personal data have also been shared across government agencies, and sometimes disclosed to the private sector (for example, employers), without consent.

THE AVAILABILITY OF TECHNOLOGY

51.  As ICTs and systems have developed over the years, so has the technology available for monitoring, tracking and identification purposes. Transmitting equipment, in the form of Radio Frequency Identification (RFID) tags, is embedded in industrial and consumer products, physical structures such as buildings, roads, documents, and persons themselves. These enable the movement of goods as well as people to be monitored. The unit cost of hardware and software has fallen dramatically over time, and the collection and storage capacity, functions and versatility of electronic information and communication equipment has expanded. The Royal Academy of Engineering (RAE) has projected the further development of a range of information technology into the foreseeable future.[46]

52.  Access to ICTs has long since ceased to be the preserve of large organisations and the wealthy. The means of surveillance and data use are being disseminated throughout most organisations. "Interoperability"—the ability to transfer data easily across a variety of types of equipment—still presents problems, but efforts are being made to overcome them in order to improve co-ordination between organisations and the sharing of data, including personal information.

THE GLOBAL FLOW OF PERSONAL DATA

53.  Changes in technology and in the way in which business and government operate mean that information now rapidly flows across national borders, into and out of different sets of legal and other controls, and in ways that are difficult to trace. It is therefore difficult for individuals to hold persons or agencies to account for the processing of personal data.

54.  It has proved difficult to establish standardised global rules and practices. This restricts the development of protection against excessive surveillance and data use.

PUBLIC SECTOR AND PRIVATE SECTOR DATA USES

55.  The distinction between the public and private sector is becoming increasingly blurred as public services are provided through partnerships and other joint arrangements. Many public sector bodies now employ outside firms to manage their databases. In the public sector, and in joint arrangements, data-based surveillance may be used to assist in the provision of social benefits to individuals or groups, and in the identification of people who may be either at risk of harm or who pose a risk to others if they are not identified and properly treated. The Government provided information on the many circumstances in which personal information is, or will be, gathered and used by the public sector. (pp 323-41)

56.  The development of "e-government" and "Transformational Government",[47] including the sharing of personal data across departments and agencies, represents a major innovation in the UK public sector. What is sometimes called the "database state" (NO2ID, pp 424-26) is the object of public attention when there are breaches of security and data losses, theft or expenditure overruns.

57.  The Government drew attention to the relationship between central and local government, for example in respect of the advice and guidance given by the Department of Communities and Local Government (CLG) to local authorities on the use and sharing of personal information in their revenues and benefits departments. (pp 323-41) Local authorities are some of the most frequent users of personal information. They are also among those bodies which are permitted to conduct surveillance operations under RIPA,[48] and they deploy and control most public-space CCTV systems.

58.  Private sector surveillance is prevalent in the majority of commercial environments, such as shopping centres, supermarkets, stores, and banks. It has also become an inescapable aspect of life on the internet, where the browsing behaviour of online shoppers is routinely recorded and analysed by companies and marketing firms. Surveillance now plays a major role in the workplace, with many employers monitoring the behaviour of employees in order to assess performance and prevent the use of online facilities for private purposes.[49]

59.  There are many other instances of private sector surveillance. The technology contained in mobile telephones makes it possible for companies to monitor communications and track geographic location. Camera systems can be used to watch over warehouses, industrial and business premises that cannot be patrolled easily or cheaply using guards. Domestic surveillance devices can be readily purchased and installed in private residences.

60.  The widespread use in CRM of consumer databases, which are matched, mined, shared, rented, and sold commercially, has become a central feature of business activity. Trevor Bedeman, an independent consultant specialising in data and information sharing, drew attention to data sharing practices within the private sector. (p 385)

61.  Credit referencing activities depend on the processing of personal data, which is also indispensable for combating financial fraud. Mike Bradford told us of Experian's concern to maintain the trust of business clients and the public in the way in which they safeguard and use personal data. (QQ 346, 350)

62.  On the other hand, Toby Stevens, Director of the Enterprise Privacy Group, told us that, although private companies are obliged to comply with data protection principles, human rights and related laws, there is no duty to offer privacy. He argued that "privacy is, in fact, a secondary benefit to the consumer arising from good commercial practice". (Q 343)

63.  The RAE argued that schemes such as Oyster cards and store loyalty cards "effectively collect data about peoples' journeys and purchases by stealth, as the user may be unaware that such information is generated when they are used. It is not obvious that a loyalty card designed to attract customers into a store will be used to harvest personal information used in marketing, and it is not clear that the card should have to function in that way." (p 435)

64.  Mike Bradford told us that Experian were actively working with government on how public and private sector data can come together. (Q 362) The Government have also been exploring ways of exchanging data with the private sector to combat financial fraud through membership of CIFAS, the UK's Fraud Prevention Service.[50]

65.  The Information Commissioner thought it was not surprising that the police, the security services and other agencies wanted access to private sector databases, but he alluded to the dangers of a "free for all":

    "It is a fundamental principle of data protection that information collected for one purpose should not be used for another unless certain requirements are met. So we are not saying that there should never be access to private sector databases, but we are saying that it should be controlled." (Q 18)

66.  The trend towards more data sharing suggests that the difficulty of tracing what happens to personal data, and of maintaining clear lines of accountability and responsibility for them, will increase over time, with implications for the current regime of regulatory safeguards for the citizen.

67.  In the following chapters, we consider these issues in detail and offer recommendations on safeguards against intrusions on privacy and excessive surveillance.


31   See Lace S (ed.), The Glass Consumer: Life in a Surveillance Society, 2005. Back

32   A Report on the Surveillance Society, op. cit., para 3.1. Back

33   Ford R, "Beware rise of Big Brother state, warns data watchdog", op citBack

34   Clarke R, Introduction to Dataveillance and Information Privacy, and Definitions of Terms, August 2006. Back

35   EU Data Protection Directive 95/46/EC, Article 2(b).  Back

36   Information Commissioner's Office, Framework Code of Practice for Sharing Personal Information, October 2007, p 5.  Back

37   The Bichard Inquiry Report, June 2004 (HC 653).  Back

38   Data Sharing Review Report, op. cit., p i.  Back

39   ibid., para 1.10. Back

40   See for example Home Office, New Powers Against Organised and Financial Crime, Cm 6875, 11 July 2006. Back

41   Clarke R, Profiling: A Hidden Challenge to the Regulation of Data Surveillance, 1993. Back

42   See for example Schoeman F (ed.), Philosophical Dimensions of Privacy: An Anthology, 1984; Young J (ed.), Privacy, 1978. See also Westin A, Privacy and Freedom, 1967; Roessler B, The Value of Privacy, 2005.  Back

43   See Wright D, Gutwirth S, Friedewald M, Vildjiounaite E and Punie Y (eds.), Safeguards in a World of Ambient Intelligence, 2008. Back

44   See Evans M, "The Data-Informed Marketing Model and its Social Responsibility", in The Glass Consumer, op. cit., Chapter 4, pp 99-132.  Back

45   Home Office, Report of the Committee on Data Protection (Chairman: Sir Norman Lindop), Cm 7341, December 1978. Back

46   Dilemmas of Privacy and Surveillance: Challenges of Technological Change, op. cit., Chapter 3. Back

47   Cabinet Office, Transformational Government-Enabled by Technology, Cm 6683, November 2005; Information Sharing Vision Statement, op. cit. Back

48   See paragraphs 164-178. Back

49   Carvel J, "Most employers restrict staff time on internet, says survey", The Guardian, 2 December 2008. Back

50   Home Office, New Powers Against Organised and Financial Crime, Cm 6875, July 2006. Back


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2009