Surveillance: Citizens and the State - Constitution Committee Contents


CHAPTER 6: Government

Privacy protection in government: strengths

260.  Successive governments have stressed the importance of protecting privacy and limiting the surveillance activities of the state. Most recently, in a speech in June 2008, the Prime Minister emphasised the need to preserve individual liberties when introducing new measures to fight crime and terrorism such as those relating to identity cards, the National DNA Database (NDNAD), and CCTV.[114]

261.  Tony McNulty MP, the then Home Office Minister for Security, Counter-terrorism, Crime and Policing, told us:

    "As our democracy has developed we have struggled with the rights of the individual and privacy and that individual's responsibility, and the duty afforded to the state in terms of public protection and public welfare … the debate we are having now is about striking that balance, given other factors like … technology data and all the other elements. I would … weigh in that balance very strongly the rights of the individual and those broader rights of the state. Where there is a contest, other than in extreme cases, the rights of the individual prevail rather than the state; that is our democratic tradition and value." (Q 924)

262.  His successor, Vernon Coaker MP, told us that "respect for human rights" is a core principle "with respect to all of the work that we do in this area. We have to cherish the right to privacy. That is fundamental to all of us and needs to be protected. The Government has always been clear that where surveillance or data protection impacts on privacy that should only be done where it is both necessary and proportionate … Of course, the other principle to balance up with all of that is the desire to protect the public … not only from terrorism but also from serious crime … It is about where we draw the line and how we have the correct balance between these things which is absolutely essential. It is not always easy to do that." (Q 1010)

263.  Vernon Coaker also told us that "different times require the appropriate response to that particular time … Times change, technology changes. There are difficulties, there are threats to us, as we know only too well, which we have seen on our streets, and that requires us to take action against them. An important point is to say this: society should respond in the appropriate way to the threat that it faces at that particular time, always having regard to the need to balance national security with human rights, and the judgment of where that line should be drawn will vary from one age to the next." (Q 1071)

264.  Michael Wills MP, Minister of State in the Ministry of Justice (MoJ) with responsibility for data handling issues, emphasised that:

    "It is important that this is not only about privacy, it is also about how we maximise the benefits of data sharing … I do not think we can ever look at these things in isolation. All of us often want two separate things at the same time. We are all very careful about our own privacy … However, we also want more efficient public services … you do need to have data sharing. The question is how do you do that without, at the same time, compromising people's quite proper sense of their own privacy and confidentiality? That is the challenge." (Q 975)

265.  The current Transformational Government agenda--an initiative aimed at transforming public services through the use of technology--includes an understanding that any new system of public service delivery should pay proper attention to the protection of privacy.[115] It also suggests that the maintenance of public trust should be treated as a requirement for any new public sector programme. Adherence to the principle of data minimisation—the collection or retention of the minimum amount of data necessary to carry out a designated function—is part of Transformational Government. Michael Wills interpreted this in terms of the integration of separate databases with a view to using data more efficiently rather than collecting less data. (Q 973)

266.  The manner in which identities are verified in transactions plays a part in determining the extent of privacy protection. Government is aware that there are benefits to providing citizens with improved identity management.[116] Among these benefits is a reduced risk of identity fraud.

267.  According to the Crosby report on Challenges and Opportunities in Identity Assurance, an identity assurance system (which differs from identity management by focusing on the interests of the consumer of services rather than on the interests of the owner of the database) shifts decisions on identification to the citizen:

    "The expression 'ID management' suggests data sharing and database consolidation, concepts which principally serve the interests of the owner of the database, for example the Government or the banks. Whereas we think of 'ID assurance' as a consumer-led concept, a process that meets an important consumer need without necessarily providing any spin-off benefits to the owner of any database. This distinction is fundamental … Some may wish to seek the potential benefits of 'joined-up government' and share their personal data across departments, if they are assured of the security of their data. Others will favour privacy over convenience and will prefer not to share any personal data. Ideally, ID assurance schemes should provide options".[117]

268.  The Information Commissioner's Office (ICO) drew attention to the use in Austria of a system of identification numbers that allows access to information in different databases "without the need for a single widely known personal identification number that may be misused." (p 5) The Royal Academy of Engineering (RAE) explained that it is possible for individuals to fulfil their legitimate need or desire to maintain multiple roles or identities in transactions with state or other organisations and to avoid the possibility of those organisations needlessly correlating them. The technology involved in identification can be developed to suit an individual's preference to keep domestic status and work life separate, where the protection of identity is necessary to avoid abusive relationships or stalking, or where witnesses and children need protection.[118] We recommend that the Government's development of identification systems should give priority to citizen-oriented considerations.

269.  The Department for Business, Enterprise and Regulatory Reform (BERR) told us:

    "It is the responsibility of each and every public authority to conduct any interaction with the public with legal care, consideration and a respect for fundamental human rights, particularly with regard to the collection, retention and sharing of personal data ... BERR takes the mantle and responsibility of public confidence very seriously, both understanding and acting to maintain the delicate balance between individual liberties and the safeguarding of the community in a democratic society." (pp 325-26)

270.  Other Government departments also provided evidence of their efforts to protect privacy and work within the current human rights and regulatory frameworks. (pp 323-41)

271.  In 2006, the Government established a Ministerial Committee, MISC 31, to develop a comprehensive data sharing policy for the public sector by Spring 2007. Although MISC 31 produced a "vision statement" on information sharing,[119] it never issued a final report and was eventually "overtaken by events". (Michael Wills MP, Q 974; and p 323) This coincided with the accession of Gordon Brown as Prime Minister, who, Michael Wills said, "felt there were real issues that needed to be addressed here … I think [MISC 31] did a valuable job in promoting collaboration. Some of the fruits of it we are still taking through". (Q 974)

272.  Michael Wills and Belinda Crowe, Head of Information Rights Division at the MoJ, told us that the Data Sharing Review Report, by Richard Thomas, the Information Commissioner, and Mark Walport, Director of the Wellcome Trust (the Thomas-Walport Review), was by then considering some of the issues surrounding data sharing and privacy, and that the reviews of data losses[120] would play an important part in future thinking. (Q 974)

273.  The work of MISC 31 has continued through inter-departmental activities. The MoJ explained that:

    "As part of the Service Transformation Plans, the MoJ will lead a cross-government programme to deliver a package of measures over the next three to five years to overcome the current barriers to information sharing within the public sector. The aim of this programme is to 'develop frameworks and mechanisms that enable public sector organisations to share information to improve personalised public services, increase public safety and tackle social exclusion in an environment of openness and respect for citizens' privacy and access rights'". (p 323)

274.  The House of Commons Home Affairs Committee's report, A Surveillance Society?, recommended that "the principle of restricting the amount of information collected to that which is needed to provide a service should guide the design of any system which involves the collection and storage of personal information. We recommend that the Government adopt a principle of data minimisation in its policy and in the design of its systems."[121]

275.  We recognise the need for data sharing across departments and agencies, but the principle of minimisation of data collection and processing must be rigorously observed. The Coroners and Justice Bill was introduced to the House of Commons on 14 January 2009 and contained proposals for extensive data sharing powers for the Government. We will pay particular attention to the parliamentary debates on this bill and conduct our usual bill scrutiny on it when it reaches this House.

276.  In the course of developing the National Identity Card Scheme, the Government have sought to reassure the public that there will be appropriate safeguards in place to protect individual privacy. So far, however, a detailed description of these safeguards and how they will operate in practice has not emerged.[122] Central to the new scheme will be the use of biometrics. Fingerprints, iris patterns and facial recognition are forms of biometrics that are used in identification schemes. The independent Biometrics Assurance Group has commented on some inadequacies in the National Identity Scheme's system of identification and privacy protection, and on matters of consent and overall transparency. It has made recommendations for improvement in legal compliance, data sharing, and ensuring that cards and biometrics are compatible which have been accepted by the Identity and Passport Service.[123]

277.  The Government have shown awareness of the need for privacy protection and the importance of maintaining public trust in other areas of surveillance and data use. The National DNA Database Ethics Group is responsible for maintaining a watching brief on broader issues.[124] The National CCTV Strategy has recommended that there should be better regulation of CCTV in the interests of privacy and data protection.[125]

278.  We wrote to Vernon Coaker, asking for further information on the reported Government plans to create a centralised database which would keep a record of every electronic communication in the United Kingdom. His reply to us indicated that the Government was looking at ways of retaining communications data in the future but that this did not include recording the contents of the communications. (pp 361-62)

279.  Vernon Coaker subsequently told us that "we are concerned about the way in which the capacity of law enforcement and the security services to access some of the data that they have been able to access is diminishing and we are concerned about some of the threats there are to that … the problem is that in a technological world where all of us are struggling to keep up the idea that all of the communications can be accessed now because somebody phones somebody else and the way in which it is changing through the internet is problematic for us. As a Government we have to take account of those changes in technology to ensure that our law enforcement and security services have the capacity to collect the information and data that they need". (Q 1041) He also stressed that "it is about maintaining our capacity, not about increasing it." (Q 1045)

280.  He told us that the Government are "looking at the options that are available to us", with a public consultation document to follow in early 2009. (QQ 1041-42)

Privacy protection in government: addressing weaknesses

281.  Tony McNulty told us of the Government's concern for privacy and awareness of the need for control over surveillance and the use of data. (Q 924) Recent data losses raise concerns about the way in which data security relates to data protection and human rights in the development of policies involving personal data.

282.  The priority given to the rights of the individual over those of the state was commented on by Belinda Crowe:

283.  The Government have begun to act on many of the recommendations of recent critical reports on the storage and handling of personal data. If these recommendations were implemented effectively, they would eliminate many of the identified weaknesses of government as a controller of citizens' personal data and have a positive effect on citizen-state relations. But as yet there is little reason to doubt the critical observation made by the Joint Committee on Human Rights (JCHR) in its report, Data Protection and Human Rights, that "there is insufficient respect for the right to respect for personal data in the public sector."[126]

284.  Michael Wills said that "a radical change of culture" was needed within Government about how they handle data: "That is the cultural challenge that all of us face—ministers, politicians and officials alike—and that is the challenge with which we are now grappling". (Q 972)

285.  A succession of events have brought the Government to this conclusion.[127] Michael Wills agreed that, pending the recommendations of the recent reviews of data handling and data losses, "when you talk about privacy, there clearly is a role for some kind of formal mechanism for ministerial collaboration on these issues". (Q 975)

286.  In the UK, the MoJ has departmental responsibility for data protection. During our visit to Canada, we learned that one of the responsibilities of the Canadian Department of Justice (DoJ) was to monitor developments in this field and to examine provisions for data sharing in different government departments. For example, lawyers from the DoJ actively worked inside other government departments, reporting back to the DoJ where necessary. In addition, the Canadian Minister of Justice has a statutory responsibility to certify that legislation is compatible with the Charter of Rights.[128]

287.  The JCHR has recommended enhancing the role of the data protection minister in this country, and giving the office a higher profile within government.[129] In response, the Government stated that departments were best placed to manage their own information, and that the cross-government Data Handling Review would show how co-ordination and learning would be carried out.[130]

288.  The interim report of that Review emphasised solutions and new governmental roles--for example, departmental Senior Information Risk Owners--which relate mainly to information risk, security and assurance.[131] Whilst these are important issues, to concentrate on them may inhibit a more rounded consideration of privacy protection and the role of responsible ministerial leadership.

289.  The Data Handling Review itself highlighted deficiencies not only in data security and protection, but also in civil service working culture and the understanding of the value of information. It expressed concerns about the responsibilities of chief executive officers and permanent secretaries for data handling, the standardisation of procedures, transparency, and performance scrutiny.[132] Among its specific recommendations were for Privacy Impact Assessment (PIA) (which we discuss in Chapter 6), better staff training and higher professional qualifications, risk assessment, and Cabinet Office responsibility for overseeing progress.[133] In an Annex, the Government asserted that the Cabinet Office was assisting in the promotion of cross-departmental learning.[134]

290.  We agree with the recommendation of the Joint Committee on Human Rights that the role of data protection minister should be enhanced and its profile elevated, and are disappointed that the Government's response has not grasped the main point about the need for more effective central leadership. The Government should report to the House through this Committee on the feasibility of having Ministry of Justice (MoJ) lawyers working in other departments and reporting to the MoJ on departmental policies with data protection implications, and of certification of legislative compatibility with the Human Rights Act 1998. This should be in conjunction with the current system of certification of compatibility by the Minister in charge of each bill going through Parliament.

291.  The Thomas-Walport Review identified inadequacies in the powers of the Information Commissioner to enforce the Data Protection Act 1998 (DPA), and sought to lift the "fog of ambiguity and uncertainty" caused by the complexity of the law and the plethora of guidance that inhibited legitimate data sharing.[135] The public sector was said to be lagging behind the private sector in the governance of information handling.[136] The Government have investigated serious lapses in data security, and implemented many of the recommendations of the Thomas-Walport Review. Government departments were taking remedial action before the Data Handling Review was published.[137]

292.  The Thomas-Walport Review identified a need to improve decision-making about data sharing, to improve transparency and training, to use technology better to protect privacy, and to introduce other reforms in organisational culture and processes. We support the recommendations made in the Thomas-Walport Data Sharing Review Report for changes in organisational cultures, leadership, accountability, transparency, training and awareness, and welcome the Government's acceptance of them. We urge the Government to report on their progress to Parliament.

PRIVACY IMPACT ASSESSMENT AND RISK

293.  There is also a need to respond to risk more effectively, and to increase public understanding of the risks involved in government and private sector information practices. The Coleman Report on Protecting Government Information examined the dangers of fraud, accidental damage and loss of data, espionage, cyber attack, and insider threats.[138] The Report recommended new processes and structures to deal with these risks, together with independent oversight and the introduction of Privacy Impact Assessments (PIAs).[139] The Government have accepted the main thrust of the Coleman Report's recommendations.[140]

294.  Professor Angela Sasse, of University College London, and representative of the UK Computing Research Committee (UKCRC), told us:

    "The key problem is really that our ability to assess risks associated with information technology with electronic data has not kept up … The people who are handling the amounts of data, because they are in contact with them every day, are utterly blasé about the risks associated with the data and the value and they have no understanding … about the impact that that disclosure or leaking of those data has on the lives of the individuals who are affected by this leakage. Given that it is Government handling their own citizens' data, that is something that has to change. The Government have a duty of care." (Q 381)

295.  The assessment of risk is central to the idea of PIAs, which are defined as "structured assessments of a project's potential impact on privacy, carried out at an early stage."[141] The Government currently advise that PIAs should be undertaken in the early stages of any policy implementation where information technology and systems are being developed for the purpose of data processing and surveillance. The Information Commissioner, Richard Thomas, told us that a number of foreign jurisdictions—notably Australia, Canada, New Zealand, and the United States—have introduced mandatory PIA systems, and require that all government departments produce and publish a PIA before any new information gathering or processing system is introduced. (p 5)[142]

296.  Many of our witnesses supported the implementation of PIA. The Commissioner has strongly promoted PIA and in 2007 his office produced a handbook of materials on PIA procedures.[143] He told us:

    "It requires any major initiative, which is going to collect and use personal information, to go through a checklist … showing how they have identified the risks, they have minimised the intrusion and they have put safeguards in place." (Q 29)

297.  Jonathan Bamford, Assistant Information Commissioner, told us:

    "The vision is based on other jurisdictions where it tends to be public authorities who are actually engaging in the use of information that applies to lots of people, used for potentially sensitive purposes like health. Obvious examples … would be ones like ID cards … Connecting for Health and the wider use of patients' information beyond their own surgeries." (Q 31)

298.  The ICO told us that one major benefit is that the assessment process can take place "during the development of proposals when there is still an opportunity to influence the proposal." In addition, by requiring PIAs to be undertaken by a third party independent of the organisation introducing the new measure, the system can provide a measure of external validation. (p 5)

299.  Professor Sasse told us:

    "I believe that if that were done competently and honestly, it would lead to much better protection and it would lead to less off-the-cuff decisions about what data to collect and how long to keep them for. If it is done competently and honestly, it also has a big pedagogical effect on the people in a company, so they learn how to do things better, they learn what to care about." (Q 408)

300.  Dr Victoria Williams, a member of the Bar who has made a special study of PIA,[144] agreed that "PIAs, properly done, can impose that degree of mental discipline in analysing the potential impact of the surveillance programme. It requires the proposal to be broken down and considered analytically and made public … It also lays bare the internal workings of the scheme so that then whatever regulatory regime is in place can bite into those stages." She also suggested that PIA "might provide a framework for incorporating notions of how mass surveillance might affect society as well as simply data protection issues for the individual." (Q 592)

301.  PIA could become an effective means of monitoring the effect technology such as public area CCTV may have on society as a whole. According to Dr Williams, the question of whether PIA could be adapted to systems of public area surveillance would depend on establishing through a constitutional review that a social impact was involved, and that the constitutional rights of free speech and assembly needed reinforced protections. (pp 210-11)

302.  Witnesses drew our attention to the dangers of implementing PIA but then failing to take account of the assessments. Dr Williams expressed concern over the possibility of PIA becoming a perfunctory bureaucratic exercise. (Q 592) In order to avoid the "risk [of PIA] becoming mere paperwork", she contended that "surveillance" PIA should be published, reviewed, approved by a competent authority, and linked to planning, regulatory, or funding decisions. (p 210) Under the E-Government Act of 2002, most of these conditions are imposed on agencies in the USA federal public sector.

303.  Officials at the US Department of Homeland Security (DHS) argued that PIA was a useful technique because it forced the DHS to think very carefully about privacy and how to build in privacy safeguards. The system had "teeth" because PIAs in the USA were linked to funding. In addition, the officials believed that PIAs should be made public so as to improve awareness of Government surveillance activities, and raise levels of public confidence and trust.[145]

304.  Members of the Center for Democracy and Technology in Washington, DC told us that PIAs varied considerably in quality. They suggested that some, such as those used for the new passport system, were little more than mere "box-ticking" exercises. We were told that the US Government is seeking to develop and disseminate best practice. Nonetheless, members of the Center thought that if departments were determined to press ahead with particular schemes, it was unlikely that PIAs could make much difference.[146]

305.  Dr Gus Hosein, Senior Fellow at Privacy International, and Visiting Senior Fellow at the London School of Economics (LSE), told us that it would be "a highly recommended step forward" for the UK Government to be required to undertake PIAs. However he warned that it was possible that a highly privacy-invasive scheme might pass a PIA test, as he claimed was the case with the US-VISIT programme that takes and stores the fingerprints of all foreign visitors to the United States. (Q 245) Dr Williams drew our attention to the FBI's PIA for their DNA database, a document which "ticks all the boxes and … complies with all the criteria" but was not informative. (Q 592)

306.  We welcome the commitment in the Government's Data Handling Review to adopt PIA across all departments.[147] PIA is now also adopted in identity management programmes.[148] The Thomas-Walport Review saw PIA as a way "to make clear the thinking behind a proposed data-sharing scheme and to demonstrate how the questions of proportionality are being addressed."[149] The Review recommended that any draft order laid by a Secretary of State to remove or modify a legal barrier to data sharing must be accompanied by a "full and detailed" PIA that would "assist both the Information Commissioner and Parliament's consideration."[150] The Government's response to the Review accepted the requirement of a mandatory PIA in such circumstances, but appeared to outline a version of a PIA that would also emphasise "benefits for individuals and the general public" of a proposed data sharing initiative.[151] We would be concerned if the main purpose of a PIA were to reflect such emphases, or if PIAs were not conducted sufficiently early in the policy process.

307.  We recommend that the Government amend the provisions of the Data Protection Act 1998 so as to make it mandatory for government departments to produce an independent, publicly available, full and detailed Privacy Impact Assessment (PIA) prior to the adoption of any new surveillance, data collection or processing scheme, including new arrangements for data sharing. The Information Commissioner, or other independent authorities, should have a role in scrutinising and approving these PIAs. We also recommend that the Government—after public consultation—consider introducing a similar system for the private sector.

NECESSITY AND PROPORTIONALITY

308.  In order to comply with the Human Rights Act 1998 (HRA) and Article 8 of the European Convention on Human Rights (ECHR), organisations engaged in surveillance and data collection must ensure that such activities are both necessary and proportionate.

309.  Professor Graeme Laurie of the University of Edinburgh Law School, who contributed to the Nuffield Council on Bioethics' report on The forensic use of bioinformation: ethical issues, told us that the starting point for that report was:

310.  Gareth Crossman, the then Director of Policy at Liberty, went further:

    "The question of proportionality is very important. Legitimate state interference into individual privacy is, of course, part and parcel of a democratic society, but as a consequence of a number of factors over the last few years, the concept of proportionality … the need to only do things in a way which is appropriate to the situation faced, has fallen away from surveillance, whether it be mass surveillance through a database, whether it be through visual surveillance of CCTV or targeted surveillance through the use of the Regulation of Investigatory Powers Act, so underpinning our concerns over surveillance is that the accountability and proportionality elements have fallen away." (Q 221)

311.  Dr Eric Metcalfe, Human Rights Policy Director for JUSTICE, suggested that Parliament might restrain the executive's enthusiasm for surveillance by "refusing to pass disproportionate laws" and by scrutinising laws "very closely in terms of their proportionality and, going back to the basic point, the necessity. Is it actually necessary, for example, to create a national identity card?" (Q 248)

312.  Peter Hustinx, the European Data Protection Supervisor, raised a related concern about necessity in the context of counter-terrorism and security in Europe:

    "We see it all the time: measures are being piled up and they are not being evaluated. Sometimes there is an overdrive: 'This is important; we cannot wait; we need to do this now', and the overdrive is the moment where risks are taken without sufficient evaluation because there is a perceived need to do something." (Q 479)

313.  In his view, the proposal for the European Passenger Name Record[152] failed to provide much evidence of necessity and proportionality except vaguely and anecdotally. (Q 481) Professor Bert-Jaap Koops, Professor of Law and Technology at Tilburg University Institute for Law, Technology and Society (TILT), thought that Article 8 of the ECHR, which guarantees a right to privacy with certain restrictions, was too easily overridden by governments' unsubstantiated assertions about the necessity of, for example, an anti-crime measure. (Q 492)

314.  On the other hand, we were told by David Feldman, Rouse Ball Professor of English Law, University of Cambridge, that the test of necessity "requires that the interfering authority must show that the interference serves a legitimate aim, and that is not too difficult a job to meet." (Q 520) However:

    "A proportionality requirement … can be a substantial burden on a justifying agency, but whether it is a really robust protection depends on how effectively the reviewing body applies the proportionality test and also how carefully the body which has to authorise the interference in the first place applies it. If it works well, it can be a very effective protection indeed … If one were to adopt … a more deferential view to the question of proportionality and treat with considerable respect the view of the original decision-maker as to whether the interference was justified and proportionate, that would be a much less useful protection." (Q 520)

315.  Sir Christopher Rose, the Chief Surveillance Commissioner, whose staff scrutinise the decisions of officers who authorise surveillance, commented on how the proportionality of surveillance was determined:

    "The methods used have to be proportionate to what is sought to be achieved, and so authorising officers, whether of law enforcement agencies or other public authorities … have to balance the intrusiveness of the activity against the operational need, and that is something which can be found in the Code of Practice." (Q 664)

316.  Sir Paul Kennedy, the Interception of Communications Commissioner, saw necessity and proportionality as offering protection to the citizen. (Q 721) His inspectors found that, in almost all cases, the application for communications data was justified. (Q 716) However, Sir Paul accepted the need for periodic inspections because of the possible slippage in standards. (Q 724) He also considered that the training for police offered under the auspices of the West Mercia Police Force had contributed to great improvements. (Q 708) The Home Office, the Association of Chief Police Officers (ACPO) and the Local Authority Coordinators of Regulatory Services (LACORS) ensure that local authority authorising officers receive legal and human rights training with respect to surveillance. The training is designed "to ensure they have a thorough understanding of necessity, proportionality, privacy issues, collateral intrusion, etc."[153]

317.  Sir Christopher Rose described the human rights element of the training received by authorising officers for making these judgments. (Q 666) He told us that law enforcement authorities were much closer to achieving a uniform standard of compliance than were "some public authorities" (Q 651):

    "So far as the law enforcement agencies are concerned, all of them, I think I can say now, with no obvious exception, take seriously their responsibilities to act essentially in a human rights compliant way … and they have gone to considerable lengths to provide the training so that their officers who are doing this job know exactly what they are doing … Other public authorities I am less confident about." (Q 655)

318.  The Chief Surveillance Commissioner's 2007 Annual Report was more explicitly critical on this point:

    "[Government departments and local authorities] tend to resort to covert activity as a last resort but, when they do, have a tendency to expose lack of understanding of the legislation by completing documentation poorly. In particular there is a serious misunderstanding of the concept of proportionality. It is not acceptable, for example, to judge, that because directed surveillance is being conducted from a public place, this automatically renders the activity overt or to assert that an activity is proportionate because it is the only way to further an investigation."[154]

319.  Such criticism is serious, as is demonstrated by recent reports of local authority covert surveillance, which we reflected on in Chapter 4. Training personnel, and helping them better to understand the meaning of necessity and proportionality in the context of the Regulation of Investigatory Powers Act 2000 (RIPA), appears to be a crucial element in helping to safeguard the citizen against excessive surveillance. Inadequate and inconsistent training in organisations permitted to engage in surveillance is likely to have detrimental effects on public trust, and to lead to concern about the possibility of the state's infringing people's legitimate expectation of privacy.

320.  Codes of Practice can play an important role in guiding decisions on necessity and proportionality. Several Codes of Practices are in force under RIPA.[155] Both Sir Christopher (Q 664) and Sir Paul (Q 724) referred to Codes when telling us about the application of the tests in their respective areas of responsibility. The Codes give extensive and detailed guidance on the determination of necessity and proportionality, and on the importance of making correct determinations for the protection of human rights. The work of the Commissioners' inspectors involves establishing that authorisations have complied with legislation and with the Codes.

321.  Sir Paul Kennedy's Annual Report for 2007 indicated the central importance of the Code of Practice in regulating communications surveillance practices. The Report remarked that local authorities' specialist staff who were involved in applications for communications did not receive training to the same standard as in other public authorities, and that this had resulted in a lower level of compliance with the Code of Practice.[156] For the year ahead, Sir Christopher Rose's Annual Report for 2007-2008 welcomed without further clarification "the intention to identify and amend those elements of the legislation or Codes of Practice that, in the light of experience, are unnecessarily inhibiting operational effectiveness."[157]

322.  We would be concerned if the application of the Code were to be substantially softened in order to facilitate surveillance operations. The Codes do not, by themselves, instruct authorising officers how to interpret the criteria in individual cases and to determine whether a particular measure is both necessary and proportionate.

323.  We recommend that the Government devote more resources to the training of individuals exercising statutory surveillance powers under the Regulation of Investigatory Powers Act 2000, with a view to improving the standard of practice and respect for privacy. We recommend that the principles of necessity and proportionality are publicly described and that the application of these principles to surveillance should be consistent across government.

The limits of legal regulation

324.  We do not believe that the Government should confine themselves to questions of legal authorisation and compliance when seeking to improve surveillance practices. Although proper legal regulation is clearly necessary and important, we believe that the law alone cannot prevent individuals and institutions from abusing their surveillance powers. We agree with the JCHR that concentrating on legal responses is unlikely to generate the required level of commitment to human rights or concern for privacy amongst public sector staff.[158]

325.  In addition, ensuring compliance with the law may not lead to an increase in public trust and confidence. Surveillance and data handling practices that are perfectly legal may nonetheless be undesirable according to other broader ethical or constitutional criteria. This may be particularly true where the legal rules are based on primary or secondary legislation that has not been sufficiently scrutinised by Parliament. We discuss such issues in Chapter 7.

TECHNOLOGICAL SAFEGUARDS: STRENGTHS

326.  "Privacy-enhancing technologies" (PETs) are technological safeguards that form part of the design of systems that gather and process personal information. PETs are central to the idea of "privacy by design",[159] which suggests that privacy is best protected by a comprehensive strategy that embraces organisational, technical, and legal responses to the challenge of surveillance. If PETs are effective, they reduce the need for individuals to rely on the law and formal regulations in order to protect their privacy.

327.  The main assumption behind PETs is that design solutions can directly and reliably reduce the dangers associated with certain surveillance and data processing technology. The design of software may, for example, allow or prohibit certain operations that involve the collection of personal data. Information system architecture and the default rules which are built into the design of such systems can be more, or less, protective of privacy, depending on the decisions that lie behind their design and implementation.[160]

328.  The Information Commissioner, who actively promotes "privacy by design", has published guidance material explaining and encouraging the use of PETs, and highlighting how they can give people greater control over their information and how it is used.[161] His response to the Government's consultation on Transformational Government focused on their importance.[162] Jonathan Bamford expressed the hope that those developing technology would seek to "look at privacy friendly ways of using that technology." (Q 27)

329.  David Smith, Deputy Information Commissioner, told the House of Commons Justice Committee:

    "Data minimisation … is absolutely key to data protection and, when we are talking about these technological approaches, we are not just talking about security, we want a technological approach to the whole of data protection, what we term privacy enhancing technology: building in compliance, data minimisation, checks on accuracy, all part of the system".[163]

330.  Data encryption is an example of a PET currently used by many public and private sector organisations. Jonathan Bamford noted that the use of encryption in laptops is a relatively simple and cost-effective privacy protection. (Q 27) However, the encryption policies and practices of Her Majesty's Revenue and Customs (HMRC), including the failure to use appropriate levels of encryption when dealing with highly sensitive personal data, were heavily criticised in Kieran Poynter's Review of Information Security at HM Revenue and Customs.[164]

331.  The effectiveness of encryption tools will vary according to the competence of the people using them and their awareness of the importance of individual privacy. A number of reports have highlighted serious shortcomings in the approach taken to encryption in the public sector in recent years. We believe that encryption has a vital role to play in ensuring the security of data, and that the Government should insist upon its use as appropriate throughout the public and private sectors.

332.  Authentication and identification systems provide another means by which privacy can be protected through design. Increasingly, people are being asked to identify themselves or to "show ID" in situations where previously identification would have been considered unnecessary. Often, however, all that is actually required is verification of entitlement--for example, to receive a service or benefit, or to gain access to premises--and there is no obvious need for individuals to disclose their personal details. Systems can be designed to provide services on an anonymous basis, rather than requiring personal details to be revealed every time someone's claim for a service or benefit needs to be verified.

333.  As the RAE has shown, identification and verification systems can be designed with a view to providing individuals with a significant amount of control over the disclosure of their personal information.[165] The RAE report observed that phone or travel cards are good examples of technology that enables payments to be made anonymously. Other forms of card can be developed that can, for example, be used to provide access to premises, or for the purposes of international travel, which do not divulge the identity of the card holder, but where the encrypted identification data can be accessed for legitimate reasons by law enforcement authorities.[166] However, NO2ID argued that the identity card scheme had "consistently blurred the distinction between authentication and identification, as if it doesn't matter." (p 427)

334.  The ability to connect information systems and databases operated by separate organisations raises the question of how far privacy can be protected in the face of the Government's commitment to Transformational Government and greater data sharing in the public sector. The Home Office has said, for example, that under the National Identity Scheme:

    "The NIR [National Identity Register] will not be a single, large database. The sets of information—biometric, biographical and administrative—do not all need to be held in a single system. To help safeguard information and make best use of the strengths of existing systems, it makes sense to store them separately."[167]

335.  However, where separate systems are merged into one database, security may be improved through policies and designs aimed at ensuring the separation of the identity documents associated with these systems. But whether databases of personal details are held separately but are accessible through technical and organisational procedures, or combined into one large collection, technical safeguards can play an important part in providing security as well as in privacy protection.

336.  Following the repeated loss of personal information by various departments, the Government have argued that better handling of data will require a host of information security measures to be implemented commonly across the state. These include encryption where necessary, secure storage, access and transfer, minimisation of the amount of information transferred by disc or laptop, and the logging and monitoring of use.[168]

337.  We welcome the Government's plans for better data handling. We recommend that the Government's report on progress on data handling and security be scrutinised by parliamentary committees.

THE LIMITS OF TECHNOLOGICAL SOLUTIONS

338.  The limits of PETs are still being explored and debated by information specialists and lawyers. The RAE report said that whilst it was "not possible to guard against all conceivable ways of invading privacy … it is possible to 'design out' unnecessary compromises of privacy."[169]

339.  Technological solutions, if not pursued within a wider design framework, may help to limit surveillance and protect privacy, but they should not be seen as a stand-alone solution. This is because the specific rules, norms and values--for example, data minimisation, access controls, and the means of anonymity--that may be built into technological systems must come from outside those systems themselves. We believe it is important to avoid assuming that a "technological fix" or "silver bullet" can be applied to what are essentially social and human rights issues.

340.  Professor Martyn Thomas, independent consultant and representative of the UKCRC, told us:

    "There is a fundamental weakness at the heart of the transformational government agenda which is that you cannot build large databases that are accessible to a wide number of people and maintain a high degree of security … it is very difficult to build a database that is technically secure on top of commercially available, off-the-shelf software components, because almost all of them were not designed to support such a use, and to connect such a database to the internet simply creates a honey pot that virtually guarantees that the data will be extracted from it in a way that was not planned for or intended." (Q 407)

341.  He pointed to a specific obstacle in the way of better security protection for personal data:

    "There is guidance in the Manual of Protective Security on how to carry out impact assessments on what the likely impact is of loss of personal data and on how such data should be protected. That manual is classified. As a consequence, it has not been peer-reviewed because it is only available to people whom government departments believe have a need to inspect it … I would expect that that peer review would lead to significant strengthening of the protection that was required of personal data because it would be seen to be clearly inadequate." (Q 407)

342.  In the interests of strengthening the protection of personal data, we urge the Government to make the Manual of Protective Security subject to regular and rigorous peer review.

343.  Going beyond the application of technological remedies, Professor Thomas outlined what needs to be done if privacy is to be taken seriously:

    "It requires proper hazard analysis … and then an appropriate set of protections to be put in place to address each of the hazards … It means using the appropriate technical … [and] social means to ensure that, firstly, you have understood the level of privacy that you are seeking, what level of breaches of confidentiality do you regard as tolerable … that you actually build the business processes, the social systems, the training and the technology to deliver that level of confidentiality in the systems … At the moment, that analysis appears not to be being done. There is no technical barrier to it being done, but it would lead to a lot of systems turning out to be a lot more expensive or not practical." (Q 416)

344.  The importance of improving the technological safeguards for privacy has been underscored by the Council for Science and Technology (CST) in their plea for further research into PETs, including techniques for anonymising data, encryption, and countering viruses.[170]

345.  In the light of the potential threat to public confidence and individual privacy, we recommend that the Government should improve the safeguards and restrictions placed on surveillance and data handling.

346.  Toby Stevens, Director of the Enterprise Privacy Group, outlined current developments in industry regarding privacy technology:

    "The industry is focused very hard on this. The problem that they often seem to stumble up against is the lack of a common framework, a common language, a common understanding of what the problems are and what the desired outcomes look like … To date, most of the privacy-enhancing technology programmes that we have seen over recent years have failed, either due to lack of interoperability between those that roll them out or a lack of perceived consumer demand. That does not mean it is not there, but the consumers have failed to understand what it is they are being offered." (Q 297)

347.  This situation is likely to inhibit government procurement of privacy-enhancing technology which, in the view of Philip Virgo, Secretary General of EURIM (the European Information Society Group), is already compromised by the life-cycle of the procurement process and the effect of the "churn" of ministers and officials on project specifications. (Q 303) Toby Stevens also thought that "government procurement does not reflect good privacy practice in general." (Q 303)

348.  As the state is the main single "customer", public sector procurement specifications have an important influence on system design. The CST suggested that government, as the major procurer of information technology services and systems, should use procurement specifications to effect improvements in security.[171] In order for this to happen, as Professor Sasse told us:

    "It is the people who are commissioning and paying for the system who should have to be clear about what their security requirements are. Ultimately, the company who is building the thing will only give the customer what they ask for. They may raise a few points but currently we really have a problem that the customers often do not articulate their security requirements, they do not think about them." (Q 415)

349.  We recommend that the Government review their procurement processes so as to incorporate design solutions that include privacy-enhancing technologies in new or planned data gathering and processing systems.


114   Gordon Brown MP, Speech on Security and Liberty, op. cit. Back

115   Transformational Government-Enabled by Technology, op. cit., para 39(4); Cabinet Office, Transformational Government-Implementation Plan, March 2006, paras 53-58.  Back

116   Transformational Government-Implementation Plan, op. cit., paras 66-67. Back

117   Sir James Crosby, Challenges and Opportunities in Identity Assurance, March 2008, p 3 and para 1.5.  Back

118   Dilemmas of Privacy and Surveillance: Challenges of Technological Change, op. cit., section 7.1.2. Back

119   Information Sharing Vision Statement, op. cit. Back

120   Data Handling Procedures in Government: Final Report, op. cit.; Review of Information Security at HM Revenue and Customs, op. cit.; Report into the Loss of MOD Personal Data, op. cit.  Back

121   A Surveillance Society?, op. cit., para 163. Back

122   See for example http://www.homeoffice.gov.uk/passports-and-immigration/id-cards/how-the-data-will-be-used/ Back

123   Biometrics Assurance Group, Annual Report 2007Back

124   1st Annual Report of the Ethics Group: National DNA Database, op. cit. Back

125   National CCTV Strategy, op. cit., Chapter 3.  Back

126   Data Protection and Human Rights, op. cit., p 3, and para 27.  Back

127   See Box One above. Back

128   Appendix 4, para 4. Back

129   Data Protection and Human Rights, op. cit., para 26.  Back

130   Government Response to Data Protection and Human Rights, op. cit., pp 6-7.  Back

131   Cabinet Office, Data Handling Procedures in Government: Interim Progress Report, December 2007, paras 7-12.  Back

132   Data Handling Procedures in Government: Final Report, op. cit., paras 7-9 and Section 2. Back

133   ibid., Section 2. Back

134   ibid., Annex I. Back

135   Data Sharing Review Report, op. cit., Foreword, Chapter 7, and paras 5.21, 5.26, 5.30, 8.28. Back

136   Data Sharing Review Report, op. cit., paras 1.4, 5.28-5.29, 8.3-8.4 Back

137   Data Handling Procedures in Government: Final Report, op. cit. Back

138   Protecting Government Information-Independent Review of Government Information Assurance (The Coleman Report), June 2008, Chapter 3. Back

139   ibid. See especially p 7. Back

140   Data Handling Procedures in Government: Final Report, op. cit., pp 39-40. Back

141   Data Sharing Review Report, op. cit., para 5.5. Back

142   See also A Report on the Surveillance Society, op. cit., sections 45.1-45.2. Back

143   See http://www.ico.gov.uk/for_organisations/topic_specific_guides/pia_handbook.aspx  Back

144   Williams V, "Privacy Impact Assessment and Public Space Surveillance", 2007.  Back

145   Appendix 4, para 77. Back

146   ibid., paras 50-51. Back

147   Data Handling Procedures in Government: Final Report, op cit., para 2.11. Back

148   ibid., p 40. Back

149   Data Sharing Review Report, op. cit., para 5.5. Back

150   ibid., para 8.43. Back

151   Response to the Data Sharing Review Report, op. cit., p 17. Back

152   A Passenger Name Record (PNR) holds many details about a passenger, including name, age, details of contact, ticketing and payment, frequent flyer details, special meals or personal assistance needs, passport details, itinerary, etc. Back

153   LACORS Parliamentary Briefing Document on the Draft Consolidating Orders on the Regulation of Investigatory Powers Act 2000 (RIPA), June 2008, pp 4-5.  Back

154   Annual Report of the Chief Surveillance Commissioner, op. cit., para 9.2. Back

155   Covert Surveillance-Code of Practice, op. cit.; Home Office, Acquisition and Disclosure of Communications Data-Code of Practice, 2007; Home Office, Investigation of Protected Electronic Information-Code of Practice, 2007; Home Office, Covert Human Intelligence Sources-Code of Practice, 2002; Home Office, Interception of Communications-Code of Practice, 2002. Back

156   Report of the Interception of Communications Commissioner, op. cit., para 3.25. Back

157   Annual Report of the Chief Surveillance Commissioner, op. cit., para 11.1. Back

158   Data Protection and Human Rights, op. cit., para 21. Back

159   This seeks to ensure that organisations give due consideration to data protection prior to the development of new initiatives. See Enterprise Privacy Group, Privacy by Design-An Overview of Privacy Enhancing Technologies, November 2008.  Back

160   See Lessig L, Code and Other Laws of Cyberspace, 1999; Reidenberg J, "Lex Informatica: The Formulation of Information Policy Rules Through Technology", Texas Law Review, Vol 76, No. 3 (February 1998), pp 553-93. Back

161   Information Commissioner's Office, Data Protection Guidance Note: Privacy Enhancing Technologies (PETs), March 2007; and Information Commissioner's Office, Privacy by Design Report Recommendations: ICO Implementation Plan, November 2008. Back

162   Information Commissioner's Office, Information Commissioner's Response to the Cabinet Office Consultation on 'Transformational Government: Enabled by Technology', February 2006, pp 4-5.  Back

163   Protection of Private Data, op. cit., Oral Evidence, Q 40.  Back

164   Review of Information Security at HM Revenue and Customs, op. cit. Back

165   Dilemmas of Privacy and Surveillance: Challenges of Technological Change, op. cit., Chapter 7. Back

166   ibid., pp 37-38. Back

167   Home Office, National Identity Scheme: Delivery Plan 2008, p 25.  Back

168   Data Handling Procedures in Government: Final Report, op. cit., pp 16-18. Back

169   Dilemmas of Privacy and Surveillance: Challenges of Technological Change, op. cit., p 37. Back

170   Council for Science and Technology, Better Use of Personal Information: Opportunities and Risks, November 2005, paras 40-47.  Back

171   ibid., para 44. Back


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2009