CHAPTER 9: Recommendations
452. We regard privacy and the application of
executive and legislative restraint to the use of surveillance
and data collection powers as necessary conditions for the exercise
of individual freedom and liberty. Privacy and executive and legislative
restraint should be taken into account at all times by the executive,
government agencies, and public bodies. (paragraph 144)
Recommendations relating to the commissioners
453. Before introducing any new surveillance
measure, the Government should endeavour to establish its likely
effect on public trust and the consequences for public compliance.
This task could be undertaken by an independent review body or
non-governmental organisation, possibly in conjunction with the
Information Commissioner's Office. (paragraph 110)
454. The Government should consider expanding
the remit of the Information Commissioner to include responsibility
for monitoring the effects of government and private surveillance
practices on the rights of the public at large under Article 8
of the European Convention on Human Rights. (paragraph 137)
455. We regret that the Government have often
failed to consult the Information Commissioner at an early stage
of policy development with privacy implications. We recommend
that the Government instruct departments to consult the Information
Commissioner at the earliest stages of policy development and
that the Government should set out in the explanatory notes to
bills how and when they consulted the Information Commissioner,
and with what result. (paragraph 231)
456. We welcome the Government's decision to
provide a statutory basis for the Information Commissioner to
carry out inspections without consent of public sector organisations
which process personal information systems, but regret the decision
not to legislate for a comparable power with respect to private
sector organisations. We recommend that the Government reconsider
this matter. Organisations which refuse to allow the Commissioner
to carry out inspections are likely to be those with something
to hide. In addition, the protection of citizens' data may in
the absence of legislation be vitiated given the growing exchange
of personal data between the public and private sectors. (paragraph
238)
457. We welcome the new powers for the Information
Commissioner to levy fines on data controllers for deliberately
or recklessly breaching the data protection principles, and we
recommend that the Government bring these powers into force as
soon as possible. The maximum level of penalties should mirror
that available to comparable regulators, and should not be disproportionate.
This must be subject to an appropriate appeals procedure. (paragraph
243)
458. We recommend that the Chief Surveillance
Commissioner and the Interception of Communications Commissioner
should introduce more flexibility to their inspection regimes,
so that they can promptly investigate cases where there is widespread
concern that powers under the Regulation of Investigatory Powers
Act 2000 have been used disproportionately or unnecessarily, and
that they seek appropriate advice from the Information Commissioner.
(paragraph 257)
459. We recommend that the Investigatory Powers
Tribunal publicise its role, and make its existence and powers
more widely known to the general public. (paragraph 259)
460. We recommend that the Government amend the
provisions of the Data Protection Act 1998 so as to make it mandatory
for government departments to produce an independent, publicly
available, full and detailed Privacy Impact Assessment (PIA) prior
to the adoption of any new surveillance, data collection or processing
scheme, including new arrangements for data sharing. The Information
Commissioner, or other independent authorities, should have a
role in scrutinising and approving these PIAs. We also recommend
that the Governmentafter public consultationconsider
introducing a similar system for the private sector. (paragraph
307)
461. We believe that the Information Commissioner
should have a greater role in advising Parliament in respect of
surveillance and data issues. We therefore recommend that the
Government should be required, by statute, to consult the Information
Commissioner on bills or statutory instruments which involve surveillance
or data processing powers. The Information Commissioner could
then report any matters of concern to Parliament. (paragraph 370)
462. We recommend that the Government, in conjunction
with the Information Commissioner, undertake a review of the law
governing citizens' consent to use of their personal data.
(paragraph 397)
463. We share the Information Commissioner's
disappointment that the Government have not made a specific commitment
to working with the Information Commissioner's Office to raise
public awareness. We recommend that the Government reconsider
this matter and commit to a plan of action agreed with the Information
Commissioner. (paragraph 436)
Recommendations relating to the National DNA Database
464. We believe that DNA profiles should only
be retained on the National DNA Database (NDNAD) where it can
be shown that such retention is justified or deserved. We expect
the Government to comply fully, and as soon as possible, with
the judgment of the European Court of Human Rights in the case
of S. and Marper v. the United Kingdom, and to ensure that
the DNA profiles of people arrested for, or charged with, a recordable
offence but not subsequently convicted are not retained on the
NDNAD for an unlimited period of time. (paragraph 197)
465. Whilst a universal National DNA Database
would be more logical than the current arrangements, we think
that it would be undesirable both in principle on the grounds
of civil liberties, and in practice on the grounds of cost. (paragraph
200)
466. We recommend that the law enforcement authorities
should improve the transparency of consent procedures and forms
in respect of the National DNA Database (NDNAD). We believe that
the DNA profiles of volunteers should as a matter of law be removed
from the NDNAD at the close of an inquiry unless the volunteer
consents to its retention. (paragraph 208)
467. We are concerned that the National DNA Database
(NDNAD) is not governed by a single statute. We recommend that
the Government introduce a bill to replace the existing regulatory
framework, providing an opportunity to reassess the rules on the
length of time for which DNA profiles are retained, and to provide
regulatory oversight of the NDNAD. (paragraph 212)
Recommendations relating to CCTV
468. We recommend that the Home Office commission
an independent appraisal of the existing research evidence on
the effectiveness of CCTV in preventing, detecting and investigating
crime. (paragraph 82)
469. We recommend that the Government should
propose a statutory regime for the use of CCTV by both the public
and private sectors, introduce codes of practice that are legally
binding on all CCTV schemes and establish a system of complaints
and remedies. This system should be overseen by the Office of
Surveillance Commissioners in conjunction with the Information
Commissioner's Office. (paragraph 219)
Recommendations for legislation and the legislative
process
470. We welcome the UK Computing Research Committee's
suggestion that the encryption of personal data should be mandatory
in some circumstances. Organisations should avoid connecting to
the internet computers which contain large amounts of personal
information. We recommend that the Government introduce appropriate
regulations. (paragraph 117)
471. We recommend that the Government undertake
a review of the administrative procedures set out in the Regulation
of Investigatory Powers Act 2000 so as to resolve the contrasting
views expressed by the Association of Chief Police Officers (ACPO)
and the Office of Surveillance Commissioners about the effectiveness
of the current legal framework and the system of authorisations.
(paragraph 159)
472. We recommend that the Government consultation
on proposed changes to the Regulation of Investigatory Powers
Act 2000 should consider whether local authorities, rather than
the police, are the appropriate bodies to exercise such powers.
If it is concluded that they are the appropriate bodies, we believe
that such powers should only be available for the investigation
of serious criminal offences which would attract a custodial sentence
of at least two years. We recommend that the Government take steps
to ensure that these powers are only exercised where strictly
necessary, and in an appropriate and proportionate manner. (paragraph
177)
473. We are concerned that three different offices
overseeing the operation of the Regulation of Investigatory Powers
Act 2000 (RIPA) may result in inefficiencies and disjointed inspection.
We recommend that the Government examine the feasibility of rationalising
the inspection system and the activities of the three RIPA Commissioners.
(paragraph 252)
474. We are concerned that primary legislation
in the fields of surveillance and data processing all too often
does not contain sufficient detail and specificity to allow Parliament
to scrutinise the proposed measures effectively. We support the
conclusion of the Joint Committee on Human Rights that the Government's
powers should be set out in primary legislation, and we urge the
Government to ensure that this happens in future. We will keep
this matter under close review in the course of our bill scrutiny
activities. (paragraph 357)
475. We urge the Government to give high priority
to post-legislative scrutiny of key statutes involving surveillance
and data processing powers, including those passed more than three
years ago. The statutes should be considered as part of a whole,
rather than in isolation. This post-legislative role could be
carried out effectively by a new Joint Committee on surveillance
and data powers. (paragraph 379)
Other specific actions for the Government
476. We recommend that the Government should
instruct government agencies and private organisations involved
in surveillance and data use on how the rights contained in Article
8 of the European Convention on Human Rights are to be implemented.
The Government should provide clear and publicly available guidance
as to the legal meanings of necessity and proportionality. We
recommend that a complaints procedure be established by the Government
and that, where appropriate, legal aid should be made available
for Article 8 claims. (paragraph 134)
477. We recommend that the Government consider
introducing a system of judicial oversight for surveillance carried
out by public authorities, and that individuals who have been
made the subject of surveillance be informed of that surveillance,
when completed, where no investigation might be prejudiced as
a result. We recommend that compensation should be available to
those subject to unlawful surveillance by the police, intelligence
services, or other public bodies acting under the powers conferred
by the Regulation of Investigatory Powers Act 2000. (paragraph
163)
478. We recommend that the Government's development
of identification systems should give priority to citizen-oriented
considerations. (paragraph 268)
479. We agree with the recommendation of the
Joint Committee on Human Rights that the role of data protection
minister should be enhanced and its profile elevated, and are
disappointed that the Government's response has not grasped the
main point about the need for more effective central leadership.
The Government should report to the House through this Committee
on the feasibility of having Ministry of Justice (MoJ) lawyers
working in other departments and reporting to the MoJ on departmental
policies with data protection implications, and of certification
of legislative compatibility with the Human Rights Act 1998. This
should be in conjunction with the current system of certification
of compatibility by the Minister in charge of each bill going
through Parliament. (paragraph 290)
480. We support the recommendations made in the
Thomas-Walport Data Sharing Review Report for changes in
organisational cultures, leadership, accountability, transparency,
training and awareness, and welcome the Government's acceptance
of them. We urge the Government to report on their progress to
Parliament. (paragraph 292)
481. We recommend that the Government devote
more resources to the training of individuals exercising statutory
surveillance powers under the Regulation of Investigatory Powers
Act 2000, with a view to improving the standard of practice and
respect for privacy. We recommend that the principles of necessity
and proportionality are publicly described and that the application
of these principles to surveillance should be consistent across
government. (paragraph 323)
482. We believe that encryption has a vital role
to play in ensuring the security of data, and that the Government
should insist upon its use as appropriate throughout the public
and private sectors. (paragraph 331)
483. In the interests of strengthening the protection
of personal data, we urge the Government to make the Manual of
Protective Security subject to regular and rigorous peer review.
(paragraph 342)
484. In the light of the potential threat to
public confidence and individual privacy, we recommend that the
Government should improve the safeguards and restrictions placed
on surveillance and data handling. (paragraph 345)
485. We recommend that the Government review
their procurement processes so as to incorporate design solutions
that include privacy-enhancing technologies in new or planned
data gathering and processing systems. (paragraph 349)
486. We recommend that the Government bring together
relevant research councils, polling organisations and government
research and statistics bodies to examine ways of improving the
independent gathering of public opinion on a range of issues related
to surveillance and data processing. (paragraph 400)
487. We recommend that the Government and local
authorities should help citizens to understand the privacy and
other implications for themselves and for society that may result
from the use of surveillance and data processing. Government should
involve schools, learned and other societies, and voluntary organisations
in public discussion of the risks and benefits of surveillance
and data processing. (paragraph 427)
488. We recommend that the Government should
undertake an analysis of public consultations and their effectiveness,
and should explore opportunities for applying versions of the
Citizens' Inquiry technique to surveillance and data processing
initiatives involving databases. (paragraph 432)
489. We recommend that the Government improve
the design of the Information Charter, and report regularly to
Parliament on the measures taken to publicise the Charter and
on their monitoring of the public response to it. (paragraph 440)
490. We support the Government's acceptance of
the Council for Science and Technology's recommendations for public
dialogue and engagement in terms that commit them to the further
development of techniques, governance structures, and relationships
both within government and with external bodies. We recommend
that the Government report to Parliament on the formal requirements
which they are placing on departments and agencies to ensure that
this commitment extends to policies and practices involving surveillance
and data processing. (paragraph 445)
491. We believe that the Government should involve
non-governmental organisations in the development and implementation
of surveillance and data processing policies with significant
implications for the citizen. (paragraph 451)
Recommendations relating to Parliament
492. We welcome the Government's plans for better
data handling. We recommend that the Government's report on progress
on data handling and security be scrutinised by parliamentary
committees. (paragraph 337)
493. We encourage the Merits of Statutory Instruments
Committee to apply the tests of necessity and proportionality
to all secondary legislation which extends surveillance and data
processing powers, and to alert the House in the normal way where
there are any doubts about the appropriateness of the instruments.
(paragraph 365)
494. We recommend that a Joint Committee on the
surveillance and data powers of the state be established, with
the ability to draw upon outside research. Any legislation or
proposed legislation which would expand surveillance or data processing
powers should be scrutinised by this Committee. (paragraph 376)
Recommendation relating to all public and private
sector organisations
495. As surveillance is potentially a threat
to privacy, we recommend that before public or private sector
organisations adopt any new surveillance or personal data processing
system, they should first consider the likely effect on individual
privacy. (paragraph 103)
|