House of Lords - Surveillance: Citizens and the State

Surveillance: Citizens and the State - Constitution Committee Contents

CHAPTER 7: Parliament

350. In this chapter we consider the role that Parliament plays in surveillance policy.

351. Whilst the courts can declare primary legislation incompatible with the Human Rights Act 1998 (HRA) or strike down secondary legislation in certain circumstances, only Parliament can block legislation. Legislation may be rejected on the grounds that it breaches one or more of the key principles examined earlier in this report, such as the principle of executive self-restraint. As Dr Eric Metcalfe of JUSTICE told us, "it is for Parliament to decide ultimately what laws are made, and to scrutinise those laws very closely in terms of their proportionality and, going back to the basic point, the necessity." (Q 248) The barrister Dr Victoria Williams also emphasised Parliament's role: "In terms of where society draws the line in terms of how much we wish to be watched, it is a matter for the people at large, but of course Parliament is the voice of the people." (Q 605) This safeguard can only be truly effective if government places its surveillance and data schemes in a firm legislative framework.

Primary legislation

352. If Parliament is to scrutinise new government surveillance and data processing initiatives effectively, a sufficient level of detail must be given in primary legislation so that individual provisions can be properly debated and amended where appropriate. A number of witnesses warned that too many bills did not contain that necessary level of detail. For example, Action on Rights for Children (ARCH) commented that "it is unusual to find any power that governs surveillance clearly set out on the face of a Bill", highlighting in particular the Children Act 2004, which "resembled a blank cheque in that it contained a series of provisions for the Secretary of State to prescribe the content and governance of children's databases in regulations. It was only after intense lobbying and parliamentary pressure that the data items were specified on the face of the Bill and agreement reached that regulations would be subject to affirmative resolution." (p 271) Terri Dowty, Director of ARCH, warned us that "we are shifting our legislation to the Executive, effectively, in relying so heavily on secondary legislation, and I think there needs to be greater scrutiny." (Q 832)

353. Several witnesses focused on what they saw as the excessive delegation of powers in the Identity Cards Act 2006. The LSE Identity Project, which conducted extensive research on the introduction of ID cards, commented that "throughout the parliamentary debate about the Identity Cards Act, Home Office Ministers emphasized the fact that the Bill was 'enabling legislation' that would 'allow' a system of identity cards to be introduced." They quoted the minister then responsible, Tony McNulty MP, as saying that "there is much still to be done in terms of detail, regulations and all the other elements."[172] They added, "many of the details of the Scheme are not included in the Act, with these details being left to secondary legislation". The Project's evidence concluded that this Committee should "look again at the role of 'enabling legislation' for legislation with such a profound impact on the relationship between the individual and the State, as there is a strong argument for not leaving the detailed implementation of the Act to secondary legislation". (p 414)

354. However, Tony McNulty insisted that the Act had been drawn more tightly than the other witnesses suggested. In a letter to this Committee, he noted that there were some 74 order-making powers in the Act, but that each order "must comply with sections one to three of the Act which clearly define the statutory purpose of the National Identity Register and the information that it may hold." (p 352) In spite of these reassuring words, we note that the statutory purposes of the Act are drawn in broad and flexible terms, such as "for the purpose of securing the efficient and effective provision of public services."[173]

355. In more general terms, Tony McNulty accepted "the premise that at least very, very clearly the principle and as much as possible the explicit functions and criteria for any data should be on the face of a bill", although he warned that "if you go in for undue specificity in terms of expressing things on the face of the bill, you sometimes cause more problems than leaving things more general." (Q 931) In relation to both the Identity Cards Act and other relevant statutes, the Minister insisted that "there are significant statutory safeguards in place which hold the order making process in check both in compliance with requirements set out in primary legislation and, importantly, by virtue of approval of each House of Parliament." The Government, he said, would "continue to adopt that approach." (p 352) We consider the implications of this approach for the Act's National Identity Register (NIR) later in this chapter.

356. The Joint Committee on Human Rights (JCHR) identified and criticised the trend described above, in respect of data sharing:

174

357. We are concerned that primary legislation in the fields of surveillance and data processing all too often does not contain sufficient detail and specificity to allow Parliament to scrutinise the proposed measures effectively. We support the conclusion of the Joint Committee on Human Rights that the Government's powers should be set out in primary legislation, and we urge the Government to ensure that this happens in future. We will keep this matter under close review in the course of our bill scrutiny activities.

Secondary legislation

358. No matter how much detail the Government puts into primary legislation in this field, some order-making powers will still need to be delegated to ministers in order to maintain a sensible level of flexibility without resorting to continuous amendment. In such cases, it is important that the resulting secondary legislation should be subject to robust parliamentary scrutiny in order to avoid the phenomenon of "function creep", where the scope of the bill is gradually expanded beyond what Parliament originally envisaged. Terri Dowty illustrated this point:

"The classic example was the National Pupil Database. Originally contained in the Education Act 1997 there was the provision to collect information from schools on an aggregate basis in order to plan for services. Into the School Standards and Framework Act [1998] … there was inserted an amendment, halfway through committee stage, that turned that into a power to share individual information about pupils and to specify that information in regulations." (Q 833)

359. Since then, she added:

"We have seen a classic example of function creep, because the school census is now termly and they have gone from collecting very basic information about children to quite detailed information, including how a child gets to school in the mornings, recording behaviour and attendance data, whether they have special needs and whether they have free school meals. This is all going on to the National Pupil Database, which is, as far as we know at the moment, a permanent database without the intention to delete the content of it. That is a perfect example of a power that got through with little scrutiny because at the time there was not the same awareness of the power of databases and of information sharing." (Q 833)

360. An example is local authorities' powers under the Regulation of Investigatory Powers Act 2000 (RIPA), which we reflected on in Chapter 4. Similarly, Liberty gave the following warning in respect of the Identity Cards Act's NIR:

"The reserved powers scattered throughout the Act allow scope for the range of uses and purposes of the NIR, and those who can have access to it, to be increased. If the NIR comes into existence then it is likely to make logistical, financial and political sense to increase the purposes it serves … The experience of the previous World War II identity cards suggests that extra purposes would be found as that scheme saw an increase in uses from three to 39 in 11 years." (p 105)

361. Dr Chris Pounder, then of Pinsent Masons, pointed out that "the NIR started life as a security system and is now a public administration, identity management and security system." (pp 281-82)

362. Some witnesses were worried that the processes for scrutinising secondary legislation were inadequate. Dr Pounder warned that "secondary legislation … is not subject to line by line scrutiny or much debate" and added that "Ministers can expect the use of their powers to be approved by Parliament and it is a very rare occurrence that an SI [Statutory Instrument] is defeated or withdrawn; there are about 2,500 Statutory Instruments … per year and, unless the SI is technically defective, most are not challenged." (p 280) Liberty agreed that secondary legislation receives "scant Parliamentary time". (p 106)

363. Several witnesses felt that the process could be improved by the introduction of amendable secondary legislation. Gareth Crossman, the then Director of Policy at Liberty, explained that, because Parliament could not amend secondary legislation, Parliament did not have the opportunity (for example) to edit a list of bodies to whom a piece of secondary legislation would grant new surveillance powers. He asserted that "there is no constitutional reason whatsoever why Parliament could not be permitted to determine to amend resolutions" and cited the example of the Civil Contingencies Act 2004. (Q 249) Similarly, Terri Dowty suggested that "if we are going to give the Executive such far reaching powers to create legislation then perhaps there needs to be a process whereby things deemed sufficiently serious to warrant affirmative resolution actually receive proper scrutiny by committee and perhaps introduce the opportunity to amend regulations at that stage." (Q 838)

364. Whilst the concept of amending secondary legislation that enlarges surveillance and data powers may seem appealing, we do not believe that it is practical. Making secondary legislation amendable essentially turns it into primary legislation, with all the problems that this implies in terms of securing agreement between the two Houses, parliamentary time and the independence of the judiciary which rules on the legality of orders and regulations. If "function creep" is to be avoided, it will be necessary to strengthen the scrutiny of such secondary legislation in other ways.

365. One way to strengthen the scrutiny of statutory instruments in this field would be for the House of Lords Merits of Statutory Instruments Committee to flag up instruments which in its view inappropriately extend surveillance and data processing powers. Key issues for consideration would include whether the Government have shown the extension of powers to be both necessary and proportionate. We encourage the Merits of Statutory Instruments Committee to apply the tests of necessity and proportionality to all secondary legislation which extends surveillance and data processing powers, and to alert the House in the normal way where there are any doubts about the appropriateness of the instruments.

Enhancing the quality of scrutiny

366. We now consider more general ways of enhancing the quality of parliamentary scrutiny. One obvious measure would be to increase the involvement of the Information Commissioner in the legislative process. David Smith, Deputy Information Commissioner, told us that "where Bills are subject to parliamentary scrutiny … it is rather haphazard as to whether we get invited, whether there is investigation of our areas." He wondered whether there was "some scope to formalise that arrangement whereby we have a right to be heard or something of that sort in the process where there are significant implications in legislation for the use and collection of personal information." (Q 8) Similarly, Richard Thomas, the Information Commissioner, said that "we would like … to have a stronger right to come forward—either the law requires some consultation with our office or that there is a duty when a new scheme is being introduced to consult with us." (Q 10) He noted that he did have a power "to make a special report to Parliament" and accepted that "it should have been used more frequently", but warned that there were resource implications. (Q 15)

367. Graham Greenleaf, Professor of Law at the University of New South Wales, went further and suggested that the Information Commissioner should be under "a statutory obligation to warn Parliament of any significant privacy dangers that he perceives in legislation or regulation." He said that the emphasis would be on the word "significant" so that the Commissioner would not have to refer minor concerns to Parliament. The advantage of a statutory duty, Professor Greenleaf explained, was that the Information Commissioner would avoid having to justify any intervention and would be less likely to face accusations of playing "partisan games". (Q 80)

368. Professor Bert-Jaap Koops, Professor of Law and Technology at Tilburg University Institute for Law, Technology and Society (TILT), told us that the Dutch Data Protection Authority works with its national parliament and provides advice on intended legislation. (Q 513) Indeed, Professor Koops made it plain that he considered such an advisory role to be an essential part of the regulatory function:

"I see two functions for regulatory authorities: one is to supervise the way that data protection law and also privacy law is being implemented and lived up to in practice … but I think the other role could be equally important, which is to provide parliaments with advice on intended legislation". (Q 513)

369. Dr Pounder suggested that the Information Commissioner should have the power to refer matters of concern to Parliament for consideration and action. (Q 847) This would exist in addition to the annual and extraordinary reporting processes currently set out in the Data Protection Act 1998 (DPA).

370. We believe that the Information Commissioner should have a greater role in advising Parliament in respect of surveillance and data issues. We therefore recommend that the Government should be required, by statute, to consult the Information Commissioner on bills or statutory instruments which involve surveillance or data processing powers. The Information Commissioner could then report any matters of concern to Parliament.

371. Several witnesses stressed the importance of Parliament, in the course of scrutiny, considering the effects on society of surveillance measures. Liberty told us that "Parliament is particularly well-placed to assess the wider societal impact of measures which interfere with personal privacy. While the courts, for example, often focus on individual cases, Parliament is better able to look at the broader picture." This was particularly important in the context of surveillance and data protection because "it is only when one aggregates the impact of such measures across the millions of people they affect that one can see the real extent of their effect on privacy and their significant constitutional implications." (p 103)

372. Professor Koops accepted the importance of such an approach, but warned that "the policy and societal debates often focus on the individual steps rather than on the entire leap, and it is questionable whether the cumulative move towards surveillance is evidence-based and well-considered." (p 173) The reason for this, he explained, was that parliaments were "incident driven" and tended to focus on "a single measure which seems important because with this you can prevent what happened last week, and so they look at each single measure … [and] do not have the overall picture and disregard the cumulative effect which all these measures together have on privacy." (Q 507) Therefore, he suggested, "a key recommendation for legislatures is to pay more attention to empirical underpinning of surveillance measures and their cumulative effect, to commission evaluation studies, and to use sunset clauses in legislation in case a measure does not show effect." (p 173)

373. Professor Ian Loader, Director of the Centre for Criminology, University of Oxford, also identified a systemic failure to take a cumulative and evidence-based approach:

"I sometimes think that surveillance measures in general, and let us take closed-circuit television cameras as an example, are what you might describe as destined to succeed. If it can be established that they have been a success in reducing levels of crime or fear of crime, then the answer is that we need more of them. If it can be established that they have not succeeded, then the answer is always that we need more of them … It seems to me that the consequence of that is that there is a ratcheting up process going on here. In other words, that once you put certain kinds of measures in place, it becomes very difficult to imagine the circumstances in which you could successfully take them away again, either legally, politically or culturally." (Q 610)

374. In Chapter 1, we drew attention to the spread and increase in surveillance and data collection over many years. It has been difficult for Parliament to scrutinise the piecemeal way surveillance has developed to cover so many aspects of everyday life. One way of increasing the ability of Parliament to take a more cumulative and evidence-based approach is to establish a Joint Committee of both Houses tasked specifically with considering surveillance and data issues, both through bill scrutiny and through wider policy inquiries. At the moment the remit of the JCHR only touches on surveillance and data issues insofar as they engage Convention rights. Similarly, the Constitution Committee can only consider surveillance and data powers during bill scrutiny insofar as they concern a point of principle affecting a principal part of the constitution. Furthermore both Committees already have a considerable workload. It is therefore desirable to set up a new Joint Committee that could look beyond the "individual steps" and single measures. The new Committee could scrutinise new surveillance and data processing powers against the broad policy context and consider empirical evidence on the effectiveness of the techniques involved, and on their effects on society and individual privacy. Such a Committee could build up a significant body of knowledge and employ its institutional memory to ensure continuity and consistency in legislative activity in this field.

375. We note the Canadian example of a parliamentary committee on access to information, privacy and ethics, which provides greater scrutiny of privacy protection issues. This Committee is able to subject bills to pre-legislative scrutiny.[175]

376. We recommend that a Joint Committee on the surveillance and data powers of the state be established, with the ability to draw upon outside research. Any legislation or proposed legislation which would expand surveillance or data processing powers should be scrutinised by this Committee.

377. An important element in maintaining an evidence-based and cumulative view of the surveillance landscape is the evaluation of whether legislation already enacted is operating as intended. As David Feldman, Rouse Ball Professor of English Law, University of Cambridge, warned us:

"One of the features of legislation that confers new powers on any agency is that they start by conferring it to deal with what is billed as an exceptional problem or threat, and usually the power is nicely limited and it is subject to carefully thought out safeguards which provide a graduated system for ensuring that the use of the power is properly limited and proportionate. It then becomes, as it were, normalised and increasingly drifts across into other functions, other agencies, and at the same time what tends to happen is that the safeguards, which were carefully thought out at the initial stage, get watered down, and that is a pattern which has been a common feature of police powers, data sharing powers, a whole range of powers to obtain and then use information across a very wide range of statutory fields." (Q 531)

378. The Government recently published its strategy on post-legislative scrutiny, proposing that departments should produce memoranda on most acts three years after enactment, with the relevant House of Commons select committee (or other committees where appropriate) then deciding whether to conduct further scrutiny.[176]

379. We urge the Government to give high priority to post-legislative scrutiny of key statutes involving surveillance and data processing powers, including those passed more than three years ago. The statutes should be considered as part of a whole, rather than in isolation. This post-legislative role could be carried out effectively by a new Joint Committee on surveillance and data powers.

172 HC Deb 28 June 2005 col 1253. Back

173 Identity Cards Act 2006, Section 1(4)(e). Back

174 Data Protection and Human Rights, op. cit., para 20. Back

175 Appendix 4, para 29. Back

176 Office of the Leader of the House of Commons, Post-legislative Scrutiny-The Government's Approach, Cm 7320, March 2008. Back