452.  We regard privacy and the application of executive and legislative restraint to the use of surveillance and data collection powers as necessary conditions for the exercise of individual freedom and liberty. Privacy and executive and legislative restraint should be taken into account at all times by the executive, government agencies, and public bodies. (paragraph 144)

Recommendations relating to the commissioners

453.  Before introducing any new surveillance measure, the Government should endeavour to establish its likely effect on public trust and the consequences for public compliance. This task could be undertaken by an independent review body or non-governmental organisation, possibly in conjunction with the Information Commissioner's Office. (paragraph 110)

454.  The Government should consider expanding the remit of the Information Commissioner to include responsibility for monitoring the effects of government and private surveillance practices on the rights of the public at large under Article 8 of the European Convention on Human Rights. (paragraph 137)

455.  We regret that the Government have often failed to consult the Information Commissioner at an early stage of policy development with privacy implications. We recommend that the Government instruct departments to consult the Information Commissioner at the earliest stages of policy development and that the Government should set out in the explanatory notes to bills how and when they consulted the Information Commissioner, and with what result. (paragraph 231)

456.  We welcome the Government's decision to provide a statutory basis for the Information Commissioner to carry out inspections without consent of public sector organisations which process personal information systems, but regret the decision not to legislate for a comparable power with respect to private sector organisations. We recommend that the Government reconsider this matter. Organisations which refuse to allow the Commissioner to carry out inspections are likely to be those with something to hide. In addition, the protection of citizens' data may in the absence of legislation be vitiated given the growing exchange of personal data between the public and private sectors. (paragraph 238)

457.  We welcome the new powers for the Information Commissioner to levy fines on data controllers for deliberately or recklessly breaching the data protection principles, and we recommend that the Government bring these powers into force as soon as possible. The maximum level of penalties should mirror that available to comparable regulators, and should not be disproportionate. This must be subject to an appropriate appeals procedure. (paragraph 243)

458.  We recommend that the Chief Surveillance Commissioner and the Interception of Communications Commissioner should introduce more flexibility to their inspection regimes, so that they can promptly investigate cases where there is widespread concern that powers under the Regulation of Investigatory Powers Act 2000 have been used disproportionately or unnecessarily, and that they seek appropriate advice from the Information Commissioner. (paragraph 257)

459.  We recommend that the Investigatory Powers Tribunal publicise its role, and make its existence and powers more widely known to the general public. (paragraph 259)

460.  We recommend that the Government amend the provisions of the Data Protection Act 1998 so as to make it mandatory for government departments to produce an independent, publicly available, full and detailed Privacy Impact Assessment (PIA) prior to the adoption of any new surveillance, data collection or processing scheme, including new arrangements for data sharing. The Information Commissioner, or other independent authorities, should have a role in scrutinising and approving these PIAs. We also recommend that the Government—after public consultation—consider introducing a similar system for the private sector. (paragraph 307)

461.  We believe that the Information Commissioner should have a greater role in advising Parliament in respect of surveillance and data issues. We therefore recommend that the Government should be required, by statute, to consult the Information Commissioner on bills or statutory instruments which involve surveillance or data processing powers. The Information Commissioner could then report any matters of concern to Parliament. (paragraph 370)

462.  We recommend that the Government, in conjunction with the Information Commissioner, undertake a review of the law governing citizens' consent to use of their personal data. (paragraph 397)

463.  We share the Information Commissioner's disappointment that the Government have not made a specific commitment to working with the Information Commissioner's Office to raise public awareness. We recommend that the Government reconsider this matter and commit to a plan of action agreed with the Information Commissioner. (paragraph 436)

Recommendations relating to the National DNA Database

464.  We believe that DNA profiles should only be retained on the National DNA Database (NDNAD) where it can be shown that such retention is justified or deserved. We expect the Government to comply fully, and as soon as possible, with the judgment of the European Court of Human Rights in the case of S. and Marper v. the United Kingdom, and to ensure that the DNA profiles of people arrested for, or charged with, a recordable offence but not subsequently convicted are not retained on the NDNAD for an unlimited period of time. (paragraph 197)

465.  Whilst a universal National DNA Database would be more logical than the current arrangements, we think that it would be undesirable both in principle on the grounds of civil liberties, and in practice on the grounds of cost. (paragraph 200)

466.  We recommend that the law enforcement authorities should improve the transparency of consent procedures and forms in respect of the National DNA Database (NDNAD). We believe that the DNA profiles of volunteers should as a matter of law be removed from the NDNAD at the close of an inquiry unless the volunteer consents to its retention. (paragraph 208)

467.  We are concerned that the National DNA Database (NDNAD) is not governed by a single statute. We recommend that the Government introduce a bill to replace the existing regulatory framework, providing an opportunity to reassess the rules on the length of time for which DNA profiles are retained, and to provide regulatory oversight of the NDNAD. (paragraph 212)

Recommendations relating to CCTV

468.  We recommend that the Home Office commission an independent appraisal of the existing research evidence on the effectiveness of CCTV in preventing, detecting and investigating crime. (paragraph 82)

469.  We recommend that the Government should propose a statutory regime for the use of CCTV by both the public and private sectors, introduce codes of practice that are legally binding on all CCTV schemes and establish a system of complaints and remedies. This system should be overseen by the Office of Surveillance Commissioners in conjunction with the Information Commissioner's Office. (paragraph 219)

Recommendations for legislation and the legislative process

470.  We welcome the UK Computing Research Committee's suggestion that the encryption of personal data should be mandatory in some circumstances. Organisations should avoid connecting to the internet computers which contain large amounts of personal information. We recommend that the Government introduce appropriate regulations. (paragraph 117)

471.  We recommend that the Government undertake a review of the administrative procedures set out in the Regulation of Investigatory Powers Act 2000 so as to resolve the contrasting views expressed by the Association of Chief Police Officers (ACPO) and the Office of Surveillance Commissioners about the effectiveness of the current legal framework and the system of authorisations. (paragraph 159)

472.  We recommend that the Government consultation on proposed changes to the Regulation of Investigatory Powers Act 2000 should consider whether local authorities, rather than the police, are the appropriate bodies to exercise such powers. If it is concluded that they are the appropriate bodies, we believe that such powers should only be available for the investigation of serious criminal offences which would attract a custodial sentence of at least two years. We recommend that the Government take steps to ensure that these powers are only exercised where strictly necessary, and in an appropriate and proportionate manner. (paragraph 177)

473.  We are concerned that three different offices overseeing the operation of the Regulation of Investigatory Powers Act 2000 (RIPA) may result in inefficiencies and disjointed inspection. We recommend that the Government examine the feasibility of rationalising the inspection system and the activities of the three RIPA Commissioners. (paragraph 252)

474.  We are concerned that primary legislation in the fields of surveillance and data processing all too often does not contain sufficient detail and specificity to allow Parliament to scrutinise the proposed measures effectively. We support the conclusion of the Joint Committee on Human Rights that the Government's powers should be set out in primary legislation, and we urge the Government to ensure that this happens in future. We will keep this matter under close review in the course of our bill scrutiny activities. (paragraph 357)

475.  We urge the Government to give high priority to post-legislative scrutiny of key statutes involving surveillance and data processing powers, including those passed more than three years ago. The statutes should be considered as part of a whole, rather than in isolation. This post-legislative role could be carried out effectively by a new Joint Committee on surveillance and data powers. (paragraph 379)

Other specific actions for the Government

476.  We recommend that the Government should instruct government agencies and private organisations involved in surveillance and data use on how the rights contained in Article 8 of the European Convention on Human Rights are to be implemented. The Government should provide clear and publicly available guidance as to the legal meanings of necessity and proportionality. We recommend that a complaints procedure be established by the Government and that, where appropriate, legal aid should be made available for Article 8 claims. (paragraph 134)

477.  We recommend that the Government consider introducing a system of judicial oversight for surveillance carried out by public authorities, and that individuals who have been made the subject of surveillance be informed of that surveillance, when completed, where no investigation might be prejudiced as a result. We recommend that compensation should be available to those subject to unlawful surveillance by the police, intelligence services, or other public bodies acting under the powers conferred by the Regulation of Investigatory Powers Act 2000. (paragraph 163)

478.  We recommend that the Government's development of identification systems should give priority to citizen-oriented considerations. (paragraph 268)

479.  We agree with the recommendation of the Joint Committee on Human Rights that the role of data protection minister should be enhanced and its profile elevated, and are disappointed that the Government's response has not grasped the main point about the need for more effective central leadership. The Government should report to the House through this Committee on the feasibility of having Ministry of Justice (MoJ) lawyers working in other departments and reporting to the MoJ on departmental policies with data protection implications, and of certification of legislative compatibility with the Human Rights Act 1998. This should be in conjunction with the current system of certification of compatibility by the Minister in charge of each bill going through Parliament. (paragraph 290)

480.  We support the recommendations made in the Thomas-Walport Data Sharing Review Report for changes in organisational cultures, leadership, accountability, transparency, training and awareness, and welcome the Government's acceptance of them. We urge the Government to report on their progress to Parliament. (paragraph 292)

481.  We recommend that the Government devote more resources to the training of individuals exercising statutory surveillance powers under the Regulation of Investigatory Powers Act 2000, with a view to improving the standard of practice and respect for privacy. We recommend that the principles of necessity and proportionality are publicly described and that the application of these principles to surveillance should be consistent across government. (paragraph 323)

482.  We believe that encryption has a vital role to play in ensuring the security of data, and that the Government should insist upon its use as appropriate throughout the public and private sectors. (paragraph 331)

483.  In the interests of strengthening the protection of personal data, we urge the Government to make the Manual of Protective Security subject to regular and rigorous peer review. (paragraph 342)

484.  In the light of the potential threat to public confidence and individual privacy, we recommend that the Government should improve the safeguards and restrictions placed on surveillance and data handling. (paragraph 345)

485.  We recommend that the Government review their procurement processes so as to incorporate design solutions that include privacy-enhancing technologies in new or planned data gathering and processing systems. (paragraph 349)

486.  We recommend that the Government bring together relevant research councils, polling organisations and government research and statistics bodies to examine ways of improving the independent gathering of public opinion on a range of issues related to surveillance and data processing. (paragraph 400)

487.  We recommend that the Government and local authorities should help citizens to understand the privacy and other implications for themselves and for society that may result from the use of surveillance and data processing. Government should involve schools, learned and other societies, and voluntary organisations in public discussion of the risks and benefits of surveillance and data processing. (paragraph 427)

488.  We recommend that the Government should undertake an analysis of public consultations and their effectiveness, and should explore opportunities for applying versions of the Citizens' Inquiry technique to surveillance and data processing initiatives involving databases. (paragraph 432)

489.  We recommend that the Government improve the design of the Information Charter, and report regularly to Parliament on the measures taken to publicise the Charter and on their monitoring of the public response to it. (paragraph 440)

490.  We support the Government's acceptance of the Council for Science and Technology's recommendations for public dialogue and engagement in terms that commit them to the further development of techniques, governance structures, and relationships both within government and with external bodies. We recommend that the Government report to Parliament on the formal requirements which they are placing on departments and agencies to ensure that this commitment extends to policies and practices involving surveillance and data processing. (paragraph 445)

491.  We believe that the Government should involve non-governmental organisations in the development and implementation of surveillance and data processing policies with significant implications for the citizen. (paragraph 451)

Recommendations relating to Parliament

492.  We welcome the Government's plans for better data handling. We recommend that the Government's report on progress on data handling and security be scrutinised by parliamentary committees. (paragraph 337)

493.  We encourage the Merits of Statutory Instruments Committee to apply the tests of necessity and proportionality to all secondary legislation which extends surveillance and data processing powers, and to alert the House in the normal way where there are any doubts about the appropriateness of the instruments. (paragraph 365)

494.  We recommend that a Joint Committee on the surveillance and data powers of the state be established, with the ability to draw upon outside research. Any legislation or proposed legislation which would expand surveillance or data processing powers should be scrutinised by this Committee. (paragraph 376)

Recommendation relating to all public and private sector organisations

495.  As surveillance is potentially a threat to privacy, we recommend that before public or private sector organisations adopt any new surveillance or personal data processing system, they should first consider the likely effect on individual privacy. (paragraph 103)