Memorandum by the British Computer Society
(BCS)
1. SCOPE
BCS has targeted both its Government Relations
Group and its information security experts who have provided valued
input in to this consultation.
2. EXECUTIVE
SUMMARY
2.1 Whilst BCS supports the need for efficient
public services which fully utilise the technology available,
and understands the concerns which lead to the increase in surveillance
measures, it is extremely perturbed about the increasing (although
not deliberate) power of the state vis-á-vis the
citizen as surveillance measures proliferate and data collection
increases.
2.2 BCS wishes to warn policy makers of
all the issues surrounding use of a "common identifier"
in data sharing/aggregation and calls for adequate safeguards
to protect the public in the light of this knowledge.
2.3 BCS believes the government should provide
clear guidance on the guardianship of shared/aggregated data on
individual citizens and recognize the importance of public trust
and information assurance.
2.4 BCS believes that CIOs, SROs and Programme
and Project Managers engaged in the Transformational Government
Agenda should be professionally qualified to ensure that data
is properly managed.
2.5 BCS believes that IT should be considered
a Board issue and a major risk to the reputation and financial
probity of an organisation.
QUESTIONS
1. How has the range and quantity of surveillance
and data collection by public and private organisations changed
the balance between citizen and state in recent years, whether
due to policy developments or technological developments? Which
specific forms of surveillance and data collection have the greatest
potential impact on this balance?
1.1 Each individual leaves a detailed trail
of personal information in public and private sector IT systems;
on the Internet; and on CCTV systems. In the majority of cases,
privacy is achieved through obscurity: for example, an individual
may be recorded on a CCTV system, but in the absence of other
personally identifiable information, their privacy is to all intents
and purposes safe. Similarly, the presence of a few items of personally
identifiable information in a computer system may not in itself
comprise sensitive personal information about that individual.
1.2 However, Government[1]
and industry are striving to improve the quality of the personal
information that they hold. This usually involves consolidating
the data into larger databases, and combining with other data
about the individual. The government often refers to this as "data
sharing" but the result is usually "data aggregation",
the joining of information together to form a larger, more detailed
record (rather than indexing two separate records).
1.3 Data aggregation can be achieved either
by using an existing unique identifier (such as a National Insurance
Number) or by "fuzzy logic" to make probability decisions
that two records do refer to the same individual. In either case,
the record will be assigned a unique index number for future reference
and ease of data recall.
1.4 The development of an identifier always
creates privacy violations. Fuzzy logic invariably involves a
"risk" decision, ie the system assigns a probability
that given fields of data do refer to the same individual. Inevitably,
there are errors where data is incorrectly matched and individuals
find that inaccurate data about them is processed or published.
The Credit Reference industry has gone to great lengths to resolve
this.
1.5 Government is trying to introduce legislation
that will create cross-departmental databases: at present there
are approved and regulation "gateways" that prevent
data being used for purposes other than that for which it was
originally obtained. However, BCS is extremely concerned about
data sharing/aggregation since the state risks losing public trust
by continuing to share data without proper debate and safeguards.
(Please refer to data sharing in the DVLA in the appendix).
1.6 BCS is agreed that the increasing use
of surveillance techniques and the potential for data misuse demand
rigorous processes and controls to ensure proper guardianship
of the extensive range of information held by Government bodies
and other organisations on individual citizens.
2. What forms of surveillance and data collection
might be considered constitutionally proper or improper? Can the
claimed administrative, security or service benefits of such activities
outweigh concerns about constitutional propriety? If so, under
what circumstances? Is there a line that should not be crossed?
If so, how might that line be identified?
2.1 Surveillance and data collection should
at all times be carried out within the Data Protection principles.
BCS strongly believes in the need to guarantee that personal information
will only be used for the purposes for which it was collected.
2.2 Data aggregation/sharing provides the
potential to accurately retrieve data across numerous databases
and build a picture of that individual's life that was not authorised
in the original valid consent for data collection.
2.3 BCS believes strongly that there is
a need to stimulate a public debate about the balance between
efficiency and privacy in relation to information held about individuals.
As a minimum, citizens should have the right to:
free access to all the data that
is held about them;
know who has access to it, and who
has actually accessed the data; and
Most of this is intended by the DPA, but its
provisions are in danger of being eroded.
2.4 BCS is also concerned about the need
to secure data against malicious attack. Although this is covered
by the Government's Information Assurance Strategy, the implementation
of which is the responsibility of CIOs in all Government departments,
in some departments this is seen as a "techy" concern
and often delegated much too far down the organisation. BCS believes
that IT should be considered a Board issue and a major risk to
the reputation and financial probity of a department.
3. What effect do public or private sector
surveillance and data collection have on a citizen's liberty and
privacy? Are there any constitutional rights or principles affected?
3.1 BCS believes that it is the unique identifier
(described under Question 1) that presents the most significant
threat to privacy and which is at the heart of an inadvertent
strategy to build a surveillance state. Once an individual has
been assigned a unique index number, it is possible to accurately
retrieve data across numerous databases and build a picture of
that individual's life that was not authorised in the original
valid consent for data collection. Often this is done with the
best of intentions: for example, to identify children at risk
by aggregating data from health, welfare, police and education
sources. The consequence, however, is an unwarrantedand
unauthorisedinvasion of privacy of each individual within
the system.
3.2 However, the greatest threat is the
publication of that index number. Once it falls in to the wrong
hands, it can be used to aggregate data across all the sources
to which the perpetrator has access. The US Social Security Number
is the most widely referenced identifier for each US citizen,
and also the most widely abused.
3.3 It follows that BCS is concerned that
the UK's current strategy of building a National Identification
Registration Numberwhich will most likely be based on the
National Insurance Numberwill provide the catalyst for
an escalation in surveillance and identity theft. The government
has stated its intention of printing that number on the ID card
which will be referenced in a host of government and commercial
transactions. Positive outcomes will be an increase in public
and private-sector efficiency, and a simplification of transactions
for the data subject, but an unwanted side effect will be privacy
violations. It is these that, if allowed to develop, will lead
to the UK being described as a Surveillance State.
3.4 Quite clearly any form of surveillance
will have an adverse effect on individual liberty. BCS believes
that an acceptable balance must be struck between protection of
society versus individual rights.
3.5 The Human Rights Act 1998 sets out provision
for the "right to private life"[2]
and it is this principle which will be affected by privacy violations.
4. What impact do surveillance and data collection
have on the character of citizenship in the 21st century, in terms
of relations with the State?
4.1 BCS members' views are polarisedsome
are happy with certain measures, eg CCTV cameras as there appear
to be statistics that identify that they lead to reductions in
crime. Others are very concerned, eg in the event of the improper
disclosure of personal data leading to "identity theft."
In such cases, one view is that there should be statutory compensation
perhaps linked to the impact level in HMG IS1 to reflect the emotional
and financial damage caused to the individual.
4.2 Other concerns raised by members include:
the storage and retention of fingerprints and DNA data of innocent
people on databases; the covert use of telecommunications traffic
data for tracking mobile phone and recording internet usage.
5. To what extent are the provisions of the
Data Protection Act 1998 sufficient in safeguarding constitutional
rights in relation to the collection and use of surveillance or
personal data?
5.1 BCS believes that the provisions of
the DPA are more than adequate but is concerned that its provisions
are still not being properly adhered to, particularly in the private
sector, despite being 1984 legislation, updated in 1998. The public
sector (particularly at Local Government level) is mature in its
implementations of information governance compliance. However,
legal advice in different departments, agencies and organisations
varies with respect to the interpretation of the DPA in specific
circumstances. In particular, interpretations are being tested
in the courts in relation to the provisions of the Human Rights
Act.
5.2 BCS respectfully suggests that care
should be taken when producing legislation to ensure that it does
not appear to conflict with the DPA. For example, the Government,
through Connecting for Health (CfH), is apparently offering an
"opt-out" to patients with respect to their personal
data on the central spine system. By doing so, the DoH (through
CfH) is assuming that it is a data controller under the Data Protection
Act, whereas most patients think their medical professional is
in control. This claim to be a data controller arises since the
obligation to offer the right to object to the processing[3]
falls on a data controller. It follows that the DoHand
the Secretary of Stateby offering an opt-out considers
it is a data controller (eg with respect to the NHS spine).
5.3 This complexity and lack of legal clarity
hinders the Government in its determination to deliver a transformed
public service based on active (and yet secure) information sharing.
6. Is there a need for any additional constitutional
protection of citizens in relation to the collection and use of
surveillance material and personal data? If so, what form might
such protection take?
6.1 The solution is not to regulate the
collection or processing of datathe Data Protection Act
(1998) is already adequate for thisbut instead to control
the assignment, use and dissemination of common identifiers about
the individual. Where the state assigns a "trusted"
identifier to an individual, this should not be published, shared
with the private sector, or relied upon as a sole identifier in
the absence of other identifying information (such as a name,
address, signature etc). Where the private sector applies such
identifiers, the Information Commissioner's Office should be given
greater support to enforce the correct and valid processing of
this sensitive personal information. Prudent and practical legislation
is now essential if we are to provide constitutional protection
for privacy for future generations.
6.2 The majority of the UK citizens have
a mobile phone that is a tracking device in its own right since
it is permanently emitting a GPS signal. The communication traffic
is also stored in a several locations. The European Data Retention
Directive is seeking to implement a legal requirement to retain
the traffic data (not the content) for a specific period of time
in case it is required to assist in the investigation of a crime.
BCS believes that the existence of the information does not warrant
its utilisation for anything other than a specific purpose for
which a Privacy Impact Assessment has been undertaken.
6.3 In addition, because of the new government
emphasis on "a presumption of sharing" and notwithstanding
guidance from the DCA, the original collector and owner of personal
data should have a duty of care with respect to that data to ensure
any organisation sharing it understands any caveat associated
with its integrity and appropriateness for use for purposes other
than that for which it was originally collected (eg has it been
verified or is it interpretation and hearsay, when was it collected
and does it have a finite useful life, has it been cleansed).
6.4 This is particularly important in relation
to such things as the proposed summary care record. At present
the patient record is held and maintained by the citizen's GP.
Once it moves to the spine, it will be possible for other (eg
hospital or walk-in-centre clinicians) to add to it. GPs are reluctant
to retain responsibility for data added or amended without their
having seen the patient and it is unclear who would have guardianship
of the integrity and accuracy of the central record.
7. CONCLUDING
REMARKS
7.1 BCS recognises that no democratic government
seeks to undermine civil liberties deliberately through the construction
of a surveillance state. However, it is evident that such an outcome
arises not due to the deliberate intention of the state, or any
private sector body, but rather the failure to prevent the sharing
and aggregation of data without suitable privacy safeguards.
7.2 The issues raised in this paper have
been debated by participants at a thought leadership debate, sponsored
by BCS Government Relations Group (GRG), in October 2006, with
further material from BCS's IPEP[4]
in particular. BCS is working in this area and would be very happy
to provide further advice to the committee as and when it feels
it to be appropriate.
6 June 2007
APPENDIX
DATA SHARING EXAMPLEDVLA
What data does DVLA hold on citizens and who does
it share that data with?
The DVLA registers hold data included on a driving
licence application or renewal, vehicle keepership and on vehicle
road tax payments and renewals. The personal data includes: name,
date of birth, address, phone number (voluntary), photo, signature,
gender, vehicle types individuals are entitled to drive (and record
history of each), points on licence, whether disqualified or not.
So the DVLA holds information on people's identities,
notified contact address, vehicles they hold as registered keepers
and financial data in respect of their payment of Vehicle Excise
Duty. The vehicle keeper data are also available to anyone who
has reasonable cause eg wheel clamping companies and insurance
companies. This is a statutory requirement and the vehicle keeper
is not therefore consulted about access. Currently, the vehicle
systems have no functionality that allow this to be logged in
an audit trail that can allow keeper review.
Few citizens would be concerned about the degree
of data sharing by DVLA (see the diagram below). However, a series
of Government initiatives and law changes could potentially result
in sharing this data more widely. DVLA is more likely to become
the recipient of data from a wider range of agencies, particularly
in respect of authentication of identity (result: fewer fraudulent
records) or address change notification (result: citizens would
have to notify fewer agencies). These changes include:
MISC31DCA review of barriers
to data sharingreport May 2007.
Review of Information on CriminalityHome
OfficeJanuary 2007.
Criminal Justice BillMay 2007.
There is pressure to harmonize this access for
motorists and vehicles across the EU. Countries across the EU
have very different cultural and legal frameworks, in which interpretations
of the basic (European-wide) Data Protection legislation vary.
This makes the sharing of data complex. The call for this sharing
is as much public (eg foreign vehicles parking in London, avoiding
speeding fines) as it is governmental (road safety, crime reduction).
Who does DVLA share Drivers data with now?
1 For example, the Transformational Government Initiative
(November 2005) which involves using new technologies to create
better services and efficiencies by moving towards a shared services
culture. Back
2
Article 8-The right to respect for private and family life, home
and correspondence. Back
3
Section 10 of the Data Protection Act 1998. Back
4
The BCS Information Privacy Expert Panel (IPEP) The BCS Information
Privacy Expert Panel is responsible for establishing and maintaining
the position of the BCS as an independent voice of authority within
the field of information privacy. Back
|