Introduction

380.  We have already examined the growth in surveillance and data processing in recent years. It has been said that we are in danger of sleepwalking into a surveillance society. Whilst recognising this danger, we believe that there are ways of avoiding this if action is taken now.

381.  We have made recommendations relating largely to government, Parliament and the regulators. In this chapter we consider the role played by citizens in surveillance and data processing. There are two main aspects to this. The first is citizens' exercise of autonomous choices about the collection and processing of data. The second is citizens' participation in policy decisions that affect privacy and data protection. This includes practical attempts to improve transparency and public understanding, and to take account of public views and concerns in the policy making process. We also consider the state of public opinion, knowledge and beliefs about surveillance, data processing and privacy.

The individual citizen's role

382.  We consider first the role of citizens in protecting the privacy of their own personal data and in controlling surveillance. The individual citizen plays an integral part within a framework of laws and other instruments for privacy protection, in terms of individual control of information, where possible, and in helping to exert collective pressure to improve practice and compliance with law.

383.  The doctrine of "informational self-determination" means that the citizen controls the flow of his or her personal data. The doctrine has been judicially interpreted in Germany to give the individual the right of control, but subject to restrictions determined by the test of proportionality. Dr Lee Bygrave, Associate Professor in the Faculty of Law, University of Oslo, told us how this right has served to curb legislation involving covert online monitoring of private internet activity, thus in effect extending the right to the protection of personal computer systems. (QQ 489-91)

384.  Although we recognise the difficulty in giving this principle practical effect or constitutional force in this country, in the absence of a statutory right to privacy we see it as having significant moral value in helping to restore an endangered priority in citizen-state relations. It also underpins the role of consent and individual choice in information processing.

385.  The Data Protection Act 1998 (DPA) supports individual citizens' input into data protection by giving them rights to prevent processing likely to cause damage or distress or in respect of direct marketing; to oppose decisions taken on the basis of automatic data-processing; to receive compensation for damage; and to have files corrected or destroyed. The most frequently used individual right is the right to have access to one's own data. These are essential legal safeguards. But their effectiveness may be limited by the degree of effort and expense required of the citizen--the "data subject"--to exercise these rights, whether judicially or by seeking the assistance of the Information Commissioner.

CONSENT

386.  Some legislative support to individual self-protection and "informational self-determination" is given through the principle of informed consent, which is often required in making data collection and sharing legitimate. Consent plays a part in the requirement for "fair processing" because it involves the organisation in conveying information to individuals about its processing activities. However, consent is not essential in determining whether personal data can be collected. Schedule 2 of the DPA includes consent as only one of the alternative conditions required for the processing of personal data, and Schedule 3 includes an alternative of "explicit consent" for processing "sensitive" information, including racial and ethnic origin, health, sexual life, offences, political opinions, and religious beliefs.

387.  The principle of consent to data collection or to data sharing can help to give individuals some control over their data, provided it is "free, genuine and informed", as is stipulated by the Data Sharing Review Report, by Richard Thomas, the Information Commissioner, and Mark Walport, Director of the Wellcome Trust (the Thomas-Walport Review).[177] In common with that Review, we are sympathetic to "the instinctive view that wherever possible, people should give consent to the use or sharing of their personal information, allowing them to exercise maximum autonomy and personal responsibility",[178] although we bear in mind conceptual and practical flaws that need to be overcome.[179]

388.  In practical terms, we recognise that, for many state activities and in the private sector, it is difficult to function without giving one's personal information, and that the scope for the individual to express genuine consent is narrow. The Information Commissioner, Richard Thomas, argued that, whereas supermarkets have a commercial, competitive interest in safeguarding personal data:

"In other areas of life, when you are dealing with social services, with the police, with the tax people, with immigration you do not have the same element of choice and I think that perhaps brings us into the arena of … the constitutional issues where, at the very least, there needs to be a great deal more transparency". (Q 11)

389.  Visual surveillance through CCTV and Automatic Number Plate Recognition (ANPR) systems for capturing information about moving vehicles, the National DNA Database (NDNAD)(except for volunteer samples), and other government databases including ContactPoint, are all examples where consent to data collection or "opting out" does not enter the equation. This is also true of the taxation system and many other state functions. Professor Clive Norris, Professor of Sociology and Deputy Director of the Centre for Criminological Research at the University of Sheffield, and representative of the Surveillance Studies Network, told us:

"If we say that personal data primarily should belong to the person in whom it originated, then what is the relationship between that person and the state's holding of it and how can that person audit the information that the state holds on them? I think that this becomes absolutely critical when that information is obtained without somebody's consent … CCTV cameras that record your number plates … [are] non-consensual. We have not consented to this act. I think as a citizen that, if the state is holding my personal information, the state should have a responsibility for demonstrating to me that it is accurate, that it is fair and that they have collected this information." (Q 67)

390.  Consent is important in other areas of the public sector, but there are grey areas in which the need, let alone the possibility, of gaining consent is not clear. The Thomas-Walport Review referred to the "murky legislative framework" that leaves public service staff uncertain about, for example, whether it is permissible to share, across organisations, sensitive data about a child without consent.[180] Organisations and their agents are sometimes in doubt about when or whether consent is necessary or desirable, and about the mechanics of obtaining it. Terri Dowty, Director of Action on Rights for Children (ARCH), told us with regard to collections of children's data:

"The Youth Justice Board says that gaining consent is a matter of good practice rather than a matter of law in order to share information about these children. The Government's guidance to the Common Assessment Framework says that a child of around 12 and perhaps even younger is competent to consent to data sharing, but the legal basis for that is unclear. The information sharing guidance that the Government issued, on the other hand, says that parents should always be involved in any decision. Unsurprisingly, practitioners are very confused, and it really is not clear what is happening." (Q 825)

391.  Terri Dowty did not think that the Information Commissioner was providing sufficient or helpful advice, and thought that Parliament should look again at the question of the age of children's capacity to give consent. (QQ 826-28)

392.  But the conditions for free, genuine and informed consent often fail to be met, as the Thomas-Walport Review showed.[181] This might be the case where there is a lack of transparency in the activities to which the individual is asked to consent, a false sense of choice, or an inability or unwillingness of an organisation to abide by the individual's response. There is also the question of whether fresh consent needs to be obtained where the data are to be used or disclosed for purposes other than the originally consented purpose. The extent to which consent can be subsequently revoked by the individual is a further issue.

393.  Graham Greenleaf, Professor of Law at the University of New South Wales, explained some of the most important current limitations regarding consent:

"I think that consent is an instrument of limited value in privacy statutes and it has been somewhat abused by consent not being clearly enough defined … Where genuine fully informed consent (where the individual really has the alternative to consent or not consent without being denied valuable services) is possible, of course it is one of the reasons that do justify what would otherwise be interferences with privacy. But where that fully genuine consent does not exist, it is better just to accept that the requirements should be first that there is justification for the interference and then notice that the interference is going to take place." (Q 83)

394.  The feasibility of consent in the fields of public health and medical research has been a fraught issue, as the Thomas-Walport Review acknowledged.[182] There are also practical difficulties in obtaining consent, for instance from children, the elderly, and incapacitated persons. Judgments by, for example, frontline health and care workers about whether and how to obtain consent, or instead to infer it, are put to a difficult test in cases of this kind.

395.  The issue of consent has also arisen in relation to the collection and retention of volunteer samples on the NDNAD. We discussed this in Chapter 4.

396.  Unless the obstacles and uncertainty are overcome, we believe that the citizen will lack an important element of empowerment that could act as a safeguard. We therefore welcome the Information Commissioner's guidance on consent to data sharing, contained in his recent Framework Code of Practice for Sharing Personal Information,[183] which is likely to form the basis of a statutory code.

397.  We recommend that the Government, in conjunction with the Information Commissioner, undertake a review of the law governing citizens' consent to use of their personal data.

Public opinion, beliefs and engagement

398.  Public opinion is important in policy decisions within a system of representative parliamentary democracy. Public opinion is dependent on the extent of individual understanding or experience of the issues involved. Support for surveillance may be based on lack of knowledge about its methods, extent, or unintended consequences. Overcoming such lack of knowledge is difficult in the face of organisations bent on increasing their surveillance and data collection.

399.  We are aware of the difficulty of conducting research into what the public feels and knows about surveillance issues. Methodological problems include focus group and sampling procedures, survey design, the phrasing of questions, and the analysis of answers. Research commissioned or conducted by government, business and the media cannot always be taken as disinterested. Assertions about what "the public" feel or want concerning surveillance are not conclusive, although they often go unchallenged. While there are few conclusive findings, we cite the results of various surveys and focus groups.

400.  We recommend that the Government bring together relevant research councils, polling organisations and government research and statistics bodies to examine ways of improving the independent gathering of public opinion on a range of issues related to surveillance and data processing.

PUBLIC OPINION AND ATTITUDES

401.  Public space CCTV appears to command widespread support in the UK. The Home Secretary said in a speech on 16 December 2008:

"I am quite clear that we have the confidence and support of the public … on the use of CCTV cameras … CCTV has helped to reclaim our town centres for the law-abiding majority. It's playing a key role in crime prevention and in reducing the fear of crime—in turn bolstering the confidence of communities to stand up to vandalism and anti-social behaviour."[184]

402.  The Minister of State at the Home Office for Crime, Policing, Counter-terrorism and Security, Vernon Coaker MP, told us:

"I think CCTV is very popular … if I look at my own constituency where people come to see me the demand is not for less CCTV; it is always for more. Also … people see it as a very effective safety measure. I have seen all the various debates that there are about it. All I can say is that everywhere I go and for nearly everybody that I speak to CCTV has been something which promotes public safety, helps tackle crime and is fantastically reassuring." (Q 1069)

403.  Councillor Hazel Harding, Leader of Lancashire County Council and Chair of the Local Government Association Safer Communities Board, agreed with this:

"My perception and that of my colleagues from various councils is that CCTV is very popular with law-abiding members of the public who see it as a preventative and feel much safer … CCTV is something that councils are facing demands for day after day from members of the public who think it would actually make them safe and they would feel safer because of it." (Q 771)

404.  The Association of Chief Police Officers (ACPO) alluded to the findings of the Leicestershire Citizens' Panel, which suggested that "the community is only too content to surrender some privacy in the interests of safety and crime reduction—and that CCTV is regarded as a highly acceptable intrusion." (p 41) On the other hand, ACPO also remarked that this popular drive for more CCTV coverage was "often against the advice and better judgement of the 'State'." (p 41)

405.  We saw in Chapter 3 that the evidence of CCTV's limited and variable effectiveness tends to contradict popular beliefs. We referred to the mixed evidence about CCTV's effect on the reduction of the fear of crime, and to increases in the feeling of safety, as ascertained by attitude research.[185] Government has made considerable sums available to local authorities through bidding processes--£38.5 million for 585 schemes between 1994 and 1999, and £170 million between 1999 and 2003 for 680 schemes under the Crime Reduction Programme.[186] While the Home Office has required "genuine" public consultation to be carried out by bidders for CCTV funding,[187] there can be no certainty that the opinions elicited were informed by independent evidence of likely effectiveness and adverse consequences, given the incentive to adopt CCTV that external funding provides.

406.  Some critical academic research suggests that policy "marketing" by vested interests, rather than informed and thorough local debate, results in unwarranted support for CCTV.[188] The House of Lords Science and Technology Committee's 1998 report on Digital Images as Evidence referred to evidence from John Burrow, the then Chief Constable of Essex:

"He believes that when public ignorance of the capabilities and intrusions of CCTV is replaced by awareness, then it 'may well be that there will be a falling off of public confidence in the authorities having control of such systems.'"[189]

407.  Looking beyond CCTV, Michael Wills MP, Minister of State in the Department of Justice with responsibility for data handling issues, told us:

"That question of public confidence is absolutely central. If the public have no confidence in the way data is being handled they will feel much less sanguine about taking the opportunities of data sharing and society as a whole will be poorer. If they have confidence because the systems are robust and transparent—which is also crucial—then of course we can reap the benefits." (Q 992)

408.  Vernon Coaker told us that the Home Office have not undertaken opinion polling in relation to public attitudes towards surveillance, "but we are going to do some polling with respect to the popularity of all this work". (Q 1034) Whilst he told us that such polling would take place "in the near future", he did not give a precise date by which it would be undertaken. (QQ 1037-39) In a subsequent letter the Minister told us that research into "public attitudes towards the type of information and data used for crime fighting and public protection purposes" would be available early in 2009. (pp 374-75) In spite of this lack of polling evidence, the Minister did feel able to assert that "I think it is the truth that people do support the use of surveillance and data collection techniques as long as they have that trust and it is proportionate and the work that is done is necessary". (Q 1034)

409.  A 2003 MORI survey carried out for the Department for Constitutional Affairs found that:

"The majority of the public (60%) say they are very or fairly concerned about how their information is handled, with 22% being very concerned. Only 12% are not at all concerned."[190]

410.  Among those who expressed concern, many pointed in particular to a feeling of lack of control over personal information and a lack of knowledge about who would have access to what information, what is being done with it, and why it is held.[191] This picture resembles that painted by the American Civil Liberties Union in the USA: a growing number of Americans are concerned about privacy issues, although they do not always understand what happens to their data in terms of profiling and sharing.[192]

411.  One of the most detailed surveys about surveillance issues is the 2008 pan-European Eurobarometer survey of public awareness about data protection. This suggests support in the UK for the use of surveillance practices to combat terrorism, especially in recent years. In comparison with respondents from other EU countries, proportionally more UK respondents were in favour of the unconditional monitoring of telephone calls, internet usage, credit card use, and passenger flight information, not only for suspected terrorists or with judicial supervision or equivalent safeguards. [193]

412.  However, about 76 per cent of UK respondents were very or fairly concerned about how public and private organisations protect the privacy of their personal data--a figure that has remained fairly constant since 1991.[194] Amongst UK respondents, only 35 per cent thought that their personal data were properly protected, 79 per cent worried about leaving personal information on the internet, and 69 per cent did not think that our legislation could cope with the growing number of people leaving personal information on the internet.[195]

413.  In a year that saw the losses of large collections of personal data by government organisations, the Information Commissioner told us:

"Concerns are increasing. People care about the subject matter; we ask people to rank their social concerns and this year 'Protecting my personal information' has ranked second … to preventing crime; it is ahead of concerns about the environment … about unemployed … about education … [and] about health. So it has gone right up the agenda. We know now that something like nine out of ten people … have concerns about the security of their personal information … 60 per cent are saying that they feel they have lost control over the way in which their personal information is being used." (Q 33)

414.  The Commissioner's research in 2007 found very high levels of public concern about organisations' use of personal information, with 94 per cent worried about both data security and the passing or selling of personal details to other organisations.[196] Only about 39 per cent thought that their personal details were sufficiently protected by existing laws and organisational practice.[197] Survey evidence cited in the Thomas-Walport Review is in general consistent with these findings.[198]

415.  We were told that, in the private sector in Canada, people have generally been content to provide their personal information in order to obtain store loyalty cards and other benefits. They are concerned when particular organisations are perceived to be using data in underhand or non-transparent manners, but most Canadians do not necessarily consider the cumulative effect of handing over such data to a wide range of private organisations. There is, however, a growing awareness that data could be used in ways that result in discrimination against certain types of people.[199]

416.  In the UK, focus group research conducted by the Trustguide project found that the public are tolerant of CCTV in public places but find the growth of such systems less acceptable. They are in general apprehensive about "what is perceived as increasingly heavy surveillance of day-to-day movements and activities":

"Many citizens feel that their constitutional rights are being eroded in the name of security, yet few feel under the degree of threat that might warrant such measures … The research shows we are at a tipping point of public acceptability of surveillance and data collection." (pp 408-09)

417.  Trustguide focus group members tended not to trust the Government's reported reasons for greater surveillance and data collection and "lack[ed] confidence in the state's ability to manage large scale IT projects securely and effectively." Identity cards, especially those that use biometric data, further eroded trust between the state and the citizen and were perceived as offering little personal benefit. DNA data collection was considered the most unacceptable, and "the communication of realistic restitutional measures in the event of breaches in IT systems" were perceived as better for trust than guarantees of security. People were apprehensive about "function creep"—the subsequent use of data that was collected for an explicit purpose in ways not previously stated or intended. (pp 408-11)

418.  The state of public awareness, knowledge and understanding about surveillance and data collection bears upon the Information Commissioner's warning about our "sleepwalking into a surveillance society".[200] On major public sector surveillance developments, the Commissioner told us:

"If these developments are to take place there needs to be a great deal more public debate. So many of these have happened away from any real parliamentary or public debate or scrutiny; it is only in the last year or so that we have had these questions coming up on radio shows, on television programmes, and I think now people are beginning to wake up to some of the implications." (Q 11)

419.  The focus group research carried out by the Performance and Innovation Unit (later the Strategy Unit) for their 2002 report, Privacy and Data-sharing: The Way Forward for Public Services,[201] found that the focus groups differed in the extent to which they believed data sharing was widespread. Levels of understanding were generally modest. The research also found that "involuntary service users were the most likely to exaggerate its extent" whilst "voluntary users of public services were the most frustrated about the absence of data sharing." Some groups expressed uncertainty about which data were shared, when and with whom.[202]

420.  These findings are important because, as we discussed earlier, the process of obtaining people's informed consent to collect and share data is affected by what citizens understand, or are led to understand. Public beliefs about risk are important for consent and other choices that have consequences for privacy. Dr Ian Forbes, Director of fig one Consultancy, and representative of the Royal Academy of Engineering (RAE), observed that "we know that in terms of trust people mostly think in terms of risk; how risky it is if they give you this information. So they will trust you if they think the risk is appropriate. They do not know what the risks are most of the time". (Q 450)

421.  Professor Angela Sasse, of University College London, and representative of the UK Computing Research Committee (UKCRC), told us:

"Very often, where people say they do not actually care about [privacy], it is because people are not very good at assessing risks in the future, because they have not experienced the impact or nobody they know well whom they would understand and empathise with has experienced these bad effects." (Q 413)

422.  Professor Martyn Thomas, independent consultant and representative of the UKCRC, illustrated this point in another context:

"We met with a group of schoolchildren and explained to them that if they put photographs on their Facebook page and then a few days later took them down, they did not go away, and they were shocked. We have a generation of people, not just the young people but their parents as well, who simply do not understand the risk that they are running because there is not a full understanding of how the internet works". (Q 417)

423.  The Eurobarometer survey revealed that a majority of UK respondents knew about specific rights and remedies available to them, but only when prompted.[203] These numbers, while consistent with the "prompted awareness" levels found in the Information Commissioner's annual tracking survey,[204] are far higher than those who can identify their rights without prompting.[205]

424.  We are aware that the Information Commissioner's Office (ICO) has devoted substantial resources over recent years to promoting public knowledge and awareness of privacy intrusions and protection. However, only some 19 per cent of those surveyed professed to know about the existence of "an independent authority in the UK monitoring the application of data protection laws"—a question asked abstractly and without mentioning the ICO.[206] A survey reported in 2008 by the British Computer Society showed that 90 per cent had heard of the DPA, although their perception of what it protects them from was less accurate.[207] A similar proportion was found in the Information Commissioner's 2007 research, although this was about twice the number who were aware of the DPA in unprompted responses.[208]

425.  The National DNA Database Ethics Group has recommended "better information for the public, the police, volunteers and custodial subjects on the use and limitations of forensic DNA analysis."[209] It sees this, in part, as important for informed consent when volunteer samples are taken.[210]

426.  The Ethics Group has also considered broader ways of informing the public about the NDNAD[211] and has established a means for gathering the views of a range of stakeholder organisations on the taking and retention of DNA samples which includes human rights organisations, political parties, learned societies, statutory bodies and a Home Office unit.[212] The Ethics Group has also taken the view that public debate must take place before any decisions are taken to convert the NDNAD into a repository of the entire country's DNA characteristics.[213]

427.  We recommend that the Government and local authorities should help citizens to understand the privacy and other implications for themselves and for society that may result from the use of surveillance and data processing. Government should involve schools, learned and other societies, and voluntary organisations in public discussion of the risks and benefits of surveillance and data processing.

428.  In the case of the NDNAD, we note that the Ethics Group has collaborated with the Human Genetics Commission's (HGC) "Citizens' Inquiry" that collected public views on the forensic use of DNA.[214]

429.  Panellists drawn from the general public produced 29 core recommendations which the HGC is subsequently considering. These include a nationwide public awareness campaign, and more substantive proposals concerning DNA retention, rules about the collection of samples, the governance of the NDNAD, and other issues.[215]

430.  We are impressed by the use of this technique for eliciting informed opinions by citizens and thus helping to shape policies.

431.  Professor Sasse told us:

"In my view Government has recently been very fond of just holding consultations which are effectively rubber-stamping, opinion-poll-type things. I do not have a great deal of faith in those. If you contrast them then with more detailed investigations where people actually have a chance to discuss scenarios that personally concern them and then to relate their decisions, what is reported is quite different. It needs to be a more in-depth engagement." (Q 458)

432.  We recommend that the Government should undertake an analysis of public consultations and their effectiveness, and should explore opportunities for applying versions of the Citizens' Inquiry technique to surveillance and data processing initiatives involving databases.

Transparency and public engagement

433.  The openness of organisations, both about their personal information and surveillance plans and practices, and about ways in which the public can be more effectively involved in understanding and shaping them, is important.

434.  If trust in relationships between citizens and the state is to be maintained, public understanding of surveillance and the way in which personal data are processed must involve organisational transparency, starting at an early stage in the Government's policy proposals. The Thomas-Walport Review emphasised transparency and drew a connection with public trust. It recommended six "good-practice steps" for organisations to take to increase transparency, most involving clearer and better information for the public about data sharing practices.[216] The Government have restated their commitment "to ensuring information sharing is undertaken in a transparent and controlled manner".[217]

435.  The House of Commons Home Affairs Committee's report, A Surveillance Society?, recommended that "the Home Office should work with the Information Commissioner to raise public awareness of how the Home Office collects, stores, shares and uses personal information."[218] The Information Commissioner has expressed his disappointment that the Government's response does not make any specific commitment to this.[219]

436.  We share the Information Commissioner's disappointment that the Government have not made a specific commitment to working with the Information Commissioner's Office to raise public awareness. We recommend that the Government reconsider this matter and commit to a plan of action agreed with the Information Commissioner.

437.  The Government have also drawn attention to the Home Office's Information Charter,[220] which is "aimed at raising public awareness".[221] The Government now promote the publication of Information Charters, enjoining them on all departments as a means of transparency.[222] There are existing examples of privacy statements on departmental websites.[223] The Government's response to the Coleman Report, Protecting Government Information, also cited the Charter as a transparency tool.[224]

438.  The model Charter's six undertakings do not explain key terms and issues concerning data retention periods, the rules for sharing, and the necessity for collection. The citizen is required to contact the department for further details. The Charter appears to derive from the Performance and Innovation Unit's document that was put out for public consultation in 2002.[225]

439.  In the interests of greater transparency, we support the Government's decision to require departments to promulgate an Information Charter. However, we remain to be convinced that the latest initiative will materially improve government transparency and public understanding.

440.  We recommend that the Government improve the design of the Information Charter, and report regularly to Parliament on the measures taken to publicise the Charter and on their monitoring of the public response to it.

441.  The Council for Science and Technology (CST) have also argued strongly for the promotion of better public understanding of information processes, including data sharing, and deeper public engagement with government. Their 2005 report, Better Use of Personal Information: Opportunities and Risks, recommended "dialogue with the public and stakeholders on the full range of benefits and risks, in particular to individual citizens as well as to society and to government".[226]

442.  The CST have outlined desirable procedures, and commissioned focus group discussions that explored public perceptions of the current and future use of personal data by public bodies, as well as public attitudes. Other than on information practices in the health sector, these discussions revealed considerable scepticism and lack of trust, a view that privacy protection was paramount, a demand for greater clarity in the reasons for sharing information, and feelings of powerlessness in the face of the state's use of personal information.[227]

443.  The CST have identified deficiencies in the way government engages with the general public's concerns over policy developments involving the use of science and technology. They have pressed government to adopt certain proposals which include the early identification of emerging issues, ministerial engagement with and commitment to public dialogue, governance arrangements for dialogue, allocation of resources, and evaluation and learning.[228] We believe that the proposals are adaptable for use in surveillance and data collection policies.

444.  The Government's response stated that they agreed "that public dialogue on science and technology must be driven forward within an explicit framework with top-level commitment." The Government thought that the CST's overarching framework was "sensible", and reflected the requirements of Cabinet Office guidance on consultation. It was conceded that "more work is needed to embed the principles across government … and we will continue to review and revise the guiding principles … and are taking steps to open up the process of developing policy to a wider range of voices." The Government also agreed that "public dialogue should be undertaken within a clear governance structure", but that "a flexible approach is necessary."[229]

445.  We support the Government's acceptance of the Council for Science and Technology's recommendations for public dialogue and engagement in terms that commit them to the further development of techniques, governance structures, and relationships both within government and with external bodies. We recommend that the Government report to Parliament on the formal requirements which they are placing on departments and agencies to ensure that this commitment extends to policies and practices involving surveillance and data processing.

Collective efforts

446.  We now consider collective efforts on behalf of the public to limit intrusive surveillance and data processing. Non-governmental organisations (NGOs) are among those who sustain these efforts.[230] Our visit to Canada and the USA left us with the impression that many civil liberties and campaign groups in those countries play a particularly prominent and well-respected role in relation to these issues.

447.  Dr Bygrave said that they are "important in igniting public debate." (Q 508) Large scale pressure group campaigns involving public protest have had occasional success, for example in influencing the Australian government to abandon its plans for a national identity card in 1986,[231] and in influencing the French government to modify substantially its EDVIGE proposal for a very large and intrusive database in 2008.[232]

448.  In this country, many groups, including Liberty, JUSTICE, Privacy International and the Foundation for Information Privacy Research (FIPR) operate across a broad front of issues. Some, such as NO2ID, campaign on single issues such as identity cards, whilst others, including the Enterprise Privacy Group and the British Computer Society, aim at raising the level of awareness and good practice among groups such as industry and business.

449.  Some NGOs assist the parliamentary scrutiny of legislation and the work of the ICO. FIPR claims success in improving a number of pieces of surveillance and data processing legislation, including the Regulation of Investigatory Powers Act 2000 (RIPA), the Health and Social Care Act 2001, the Anti-Terrorism, Crime and Security Act 2001, and in contributing to policy criticism on children's databases.[233] Liberty was prominent in briefing on the Identity Cards Act. Activities of this kind are of particular importance in the area of surveillance and information systems, where Parliament may particularly value the technical knowledge necessary for effective scrutiny to take place.

450.  Professor Bert-Jaap Koops, Professor of Law and Technology at Tilburg University Institute for Law, Technology and Society (TILT), told us:

"Pressure groups are very important because they can play a role in debates by giving information, by highlighting possible effects that in the general debates tend to be overlooked, but … they are usually quite small, with a few people, often volunteers, with limited resources, and so there are only a limited amount of topics that they can monitor. More importantly, if the question is: do they not fill up the democratic deficit to a large extent? No, they never can, because they have no power. Their function is to highlight evidence, to signal, to give information, but they have no influence directly … they have no power to say this measure should be not adopted, like parliaments, like the courts and data protection commissioners have, so they could never fill up the democratic deficit." (Q 511)

451.  We believe that the Government should involve non-governmental organisations in the development and implementation of surveillance and data processing policies with significant implications for the citizen.

178   ibid., para. 5.8. Back

179   For example, see Manson N and O'Neill O, Rethinking Informed Consent in Bioethics, 2007. Back

180   Data Sharing Review Report, op. cit., para 5.27, and Box, p 38. Back

181   ibid., paras 5.7-5.20. Back

182   ibid., paras 2.31-2.32. Back

183   Framework Code of Practice for Sharing Personal Information, op. cit., pp 7-8. Back

184   Jacqui Smith MP, Speech to the Intellect Trade Association, op. cit. Back

185   Gill M and Spriggs A, Assessing the Impact of CCTV, Home Office Research Study 292, February 2005, pp 4-5. Back

186   National CCTV Strategy, op. cit., p 7.  Back

187   Home Office, CCTV Initiative: Application Prospectus, Section 5, para 18. Back

188   Webster C, "Closed Circuit Television and Information Age Policy Processes", in Hague B and Loader B (eds.), Digital Democracy: Discourse and Decision Making in the Information Age, 1999, Chapter 8, pp 116-31. Back

189   5th Report (1997-98): Digital Images as Evidence (HL 64), para 4.8, and Q 420.  Back

190   MORI, Privacy and Data-Sharing--Survey of Public Awareness and Perceptions: Research Study Conducted for Department for Constitutional Affairs, June-July 2003, p 13. Back

191   ibid., p 14. Back

192   Appendix 4, para 57. Back

193   Flash Eurobarometer-The Gallup Organization, Data Protection in the European Union: Citizens' Perceptions--Analytical Report, Series #225, February 2008, pp 47-55.  Back

194   ibid., pp. 7-8. Back

195   ibid., pp 78 (Table 4a), 82 (Table 6a); 84 (Table 7a). Back

196   SMSR, Report on Information Commissioner's Office, Annual Track: 2007--Individuals, September 2007, p 16. Back

197   ibid., p 13. Back

198   Data Sharing Review Report, op. cit., pp 10-11. Back

199   Appendix 4, para 16. Back

200   See para 2. Back

201   Cabinet Office and Performance and Innovation Unit, Privacy and Data-sharing: The Way Forward for Public Services, April 2002. Back

202   6 P, Strategies for Reassurance: Public Concerns about Privacy and Data Sharing in Government--Findings from Focus Groups, Performance and Innovation Unit, 2001, pp iv-v. Back

203   Data Protection in the European Union: Citizens' Perceptions--Analytical Report, op. cit., Chapter 4. Back

204   Information Commissioner's Office, Annual Report 2007/08, HC 670, July 2008, p 13; Report on Information Commissioner's Office, Annual Track: 2007--Individuals, op. cit., p 15. Back

205   Report on Information Commissioner's Office, Annual Track: 2007--Individuals, op. cit., p 14.  Back

206   Data Protection in the European Union: Citizens' Perceptions--Analytical Report, op. cit., p 104 (Table 17a).  Back

207   British Computer Society, BCS Data Guardianship Survey 2008, March 2008, p 4.  Back

208   Report on Information Commissioner's Office, Annual Track: 2007--Individuals, op. cit., p 17.  Back

209   1^st Annual Report of the Ethics Group: National DNA Database, op. cit., Recommendation E, p 21. Back

210   ibid., para 5.19. Back

211   ibid., pp 54-56.  Back

212   ibid., pp 47-49. Back

213   ibid., p 26. Back

214   ibid., p. 50.  Back

215   A Citizens' Inquiry into the Forensic Use of DNA and the National DNA Database: Citizens' Report, July 2008. Back

216   Data Sharing Review Report, op. cit., para 8.14. Back

217   Government Response to Data Protection and Human Rights, op. cit., Appendix (p 11).  Back

218   A Surveillance Society?, op. cit., para 162. Back

219   Information Commissioner's Office, Information Commissioner's Formal Response to the House of Commons Home Affairs Committee Report 'A Surveillance Society?', para 5.3. Back

220   See http://www.homeoffice.gov.uk/documents/information-charter?view=Binary. Back

221   The Government Reply to A Surveillance Society?, op. cit., p 9. Back

222   Data Handling Procedures in Government: Final Report, op. cit., p 23, paras 2.43, 3.8, and Annex IV. Back

223   ibid., Annex IV. For example see Department for Children, Schools and Families, http://www.dcsf.gov.uk/copyright/pdf/psg-english1.pdf; HM Revenue & Customs, http://www.hmrc.gov.uk/about/privacy.htm; and Department for Transport, http://www.dft.gov.uk/about/informationcharter/  Back

224   Data Handling Procedures in Government: Final Report, op. cit., p 39. See Protecting Government Information-Independent Review of Government Information Assurance, op. cit.  Back

225   Performance and Innovation Unit, Privacy and Data-sharing: The Way Forward for Public Services, op. cit., p 58. Back

226   Better Use of Personal Information: Opportunities and Risks, op. cit., p 2.  Back

227   OPM, Research into the Use of Personal Datasets held by Public Sector Bodies--Final Report for Council for Science and Technology (draft), October 2005, pp 2-3. Back

228   Council for Science and Technology, Policy Through Dialogue: Informing Policies Based on Science and Technology, March 2005. Back

229   Council for Science and Technology Report, Policy through Dialogue, Published March 2005--Government Response, September 2005. See especially paras 4-7, 10. Back

230   Bennett C, The Privacy Advocates: Resisting the Spread of Surveillance, 2008. Back

231   Davies S, Big Brother: Britain's Web of Surveillance and the New Technological Order, 1996, Chapter 7. Back

232   "French File EDVIGE Revised After Huge Civil Society Mobilization", EDRI-gram Number 6.18, 24 September 2008. Back

233   See http://www.fipr.org/achievements.html Back