Surveillance: Citizens and the State - Constitution Committee Contents


Memorandum by the British Computer Society (BCS)

1.  SCOPE

  BCS has targeted both its Government Relations Group and its information security experts who have provided valued input in to this consultation.

2.  EXECUTIVE SUMMARY

  2.1  Whilst BCS supports the need for efficient public services which fully utilise the technology available, and understands the concerns which lead to the increase in surveillance measures, it is extremely perturbed about the increasing (although not deliberate) power of the state vis-á-vis the citizen as surveillance measures proliferate and data collection increases.

  2.2  BCS wishes to warn policy makers of all the issues surrounding use of a "common identifier" in data sharing/aggregation and calls for adequate safeguards to protect the public in the light of this knowledge.

  2.3  BCS believes the government should provide clear guidance on the guardianship of shared/aggregated data on individual citizens and recognize the importance of public trust and information assurance.

  2.4  BCS believes that CIOs, SROs and Programme and Project Managers engaged in the Transformational Government Agenda should be professionally qualified to ensure that data is properly managed.

  2.5  BCS believes that IT should be considered a Board issue and a major risk to the reputation and financial probity of an organisation.

QUESTIONS

1.  How has the range and quantity of surveillance and data collection by public and private organisations changed the balance between citizen and state in recent years, whether due to policy developments or technological developments? Which specific forms of surveillance and data collection have the greatest potential impact on this balance?

  1.1  Each individual leaves a detailed trail of personal information in public and private sector IT systems; on the Internet; and on CCTV systems. In the majority of cases, privacy is achieved through obscurity: for example, an individual may be recorded on a CCTV system, but in the absence of other personally identifiable information, their privacy is to all intents and purposes safe. Similarly, the presence of a few items of personally identifiable information in a computer system may not in itself comprise sensitive personal information about that individual.

  1.2  However, Government[1] and industry are striving to improve the quality of the personal information that they hold. This usually involves consolidating the data into larger databases, and combining with other data about the individual. The government often refers to this as "data sharing" but the result is usually "data aggregation", the joining of information together to form a larger, more detailed record (rather than indexing two separate records).

  1.3  Data aggregation can be achieved either by using an existing unique identifier (such as a National Insurance Number) or by "fuzzy logic" to make probability decisions that two records do refer to the same individual. In either case, the record will be assigned a unique index number for future reference and ease of data recall.

  1.4  The development of an identifier always creates privacy violations. Fuzzy logic invariably involves a "risk" decision, ie the system assigns a probability that given fields of data do refer to the same individual. Inevitably, there are errors where data is incorrectly matched and individuals find that inaccurate data about them is processed or published. The Credit Reference industry has gone to great lengths to resolve this.

  1.5  Government is trying to introduce legislation that will create cross-departmental databases: at present there are approved and regulation "gateways" that prevent data being used for purposes other than that for which it was originally obtained. However, BCS is extremely concerned about data sharing/aggregation since the state risks losing public trust by continuing to share data without proper debate and safeguards. (Please refer to data sharing in the DVLA in the appendix).

  1.6  BCS is agreed that the increasing use of surveillance techniques and the potential for data misuse demand rigorous processes and controls to ensure proper guardianship of the extensive range of information held by Government bodies and other organisations on individual citizens.

2.  What forms of surveillance and data collection might be considered constitutionally proper or improper? Can the claimed administrative, security or service benefits of such activities outweigh concerns about constitutional propriety? If so, under what circumstances? Is there a line that should not be crossed? If so, how might that line be identified?

  2.1  Surveillance and data collection should at all times be carried out within the Data Protection principles. BCS strongly believes in the need to guarantee that personal information will only be used for the purposes for which it was collected.

  2.2  Data aggregation/sharing provides the potential to accurately retrieve data across numerous databases and build a picture of that individual's life that was not authorised in the original valid consent for data collection.

  2.3  BCS believes strongly that there is a need to stimulate a public debate about the balance between efficiency and privacy in relation to information held about individuals. As a minimum, citizens should have the right to:

    —  free access to all the data that is held about them;

    —  correct errors;

    —  know who has access to it, and who has actually accessed the data; and

    —  challenge that access.

  Most of this is intended by the DPA, but its provisions are in danger of being eroded.

  2.4  BCS is also concerned about the need to secure data against malicious attack. Although this is covered by the Government's Information Assurance Strategy, the implementation of which is the responsibility of CIOs in all Government departments, in some departments this is seen as a "techy" concern and often delegated much too far down the organisation. BCS believes that IT should be considered a Board issue and a major risk to the reputation and financial probity of a department.

3.  What effect do public or private sector surveillance and data collection have on a citizen's liberty and privacy? Are there any constitutional rights or principles affected?

  3.1  BCS believes that it is the unique identifier (described under Question 1) that presents the most significant threat to privacy and which is at the heart of an inadvertent strategy to build a surveillance state. Once an individual has been assigned a unique index number, it is possible to accurately retrieve data across numerous databases and build a picture of that individual's life that was not authorised in the original valid consent for data collection. Often this is done with the best of intentions: for example, to identify children at risk by aggregating data from health, welfare, police and education sources. The consequence, however, is an unwarranted—and unauthorised—invasion of privacy of each individual within the system.

  3.2  However, the greatest threat is the publication of that index number. Once it falls in to the wrong hands, it can be used to aggregate data across all the sources to which the perpetrator has access. The US Social Security Number is the most widely referenced identifier for each US citizen, and also the most widely abused.

  3.3  It follows that BCS is concerned that the UK's current strategy of building a National Identification Registration Number—which will most likely be based on the National Insurance Number—will provide the catalyst for an escalation in surveillance and identity theft. The government has stated its intention of printing that number on the ID card which will be referenced in a host of government and commercial transactions. Positive outcomes will be an increase in public and private-sector efficiency, and a simplification of transactions for the data subject, but an unwanted side effect will be privacy violations. It is these that, if allowed to develop, will lead to the UK being described as a Surveillance State.

  3.4  Quite clearly any form of surveillance will have an adverse effect on individual liberty. BCS believes that an acceptable balance must be struck between protection of society versus individual rights.

  3.5  The Human Rights Act 1998 sets out provision for the "right to private life"[2] and it is this principle which will be affected by privacy violations.

4.  What impact do surveillance and data collection have on the character of citizenship in the 21st century, in terms of relations with the State?

  4.1  BCS members' views are polarised—some are happy with certain measures, eg CCTV cameras as there appear to be statistics that identify that they lead to reductions in crime. Others are very concerned, eg in the event of the improper disclosure of personal data leading to "identity theft." In such cases, one view is that there should be statutory compensation perhaps linked to the impact level in HMG IS1 to reflect the emotional and financial damage caused to the individual.

  4.2  Other concerns raised by members include: the storage and retention of fingerprints and DNA data of innocent people on databases; the covert use of telecommunications traffic data for tracking mobile phone and recording internet usage.

5.  To what extent are the provisions of the Data Protection Act 1998 sufficient in safeguarding constitutional rights in relation to the collection and use of surveillance or personal data?

  5.1  BCS believes that the provisions of the DPA are more than adequate but is concerned that its provisions are still not being properly adhered to, particularly in the private sector, despite being 1984 legislation, updated in 1998. The public sector (particularly at Local Government level) is mature in its implementations of information governance compliance. However, legal advice in different departments, agencies and organisations varies with respect to the interpretation of the DPA in specific circumstances. In particular, interpretations are being tested in the courts in relation to the provisions of the Human Rights Act.

  5.2  BCS respectfully suggests that care should be taken when producing legislation to ensure that it does not appear to conflict with the DPA. For example, the Government, through Connecting for Health (CfH), is apparently offering an "opt-out" to patients with respect to their personal data on the central spine system. By doing so, the DoH (through CfH) is assuming that it is a data controller under the Data Protection Act, whereas most patients think their medical professional is in control. This claim to be a data controller arises since the obligation to offer the right to object to the processing[3] falls on a data controller. It follows that the DoH—and the Secretary of State—by offering an opt-out considers it is a data controller (eg with respect to the NHS spine).

  5.3  This complexity and lack of legal clarity hinders the Government in its determination to deliver a transformed public service based on active (and yet secure) information sharing.

6.  Is there a need for any additional constitutional protection of citizens in relation to the collection and use of surveillance material and personal data? If so, what form might such protection take?

  6.1  The solution is not to regulate the collection or processing of data—the Data Protection Act (1998) is already adequate for this—but instead to control the assignment, use and dissemination of common identifiers about the individual. Where the state assigns a "trusted" identifier to an individual, this should not be published, shared with the private sector, or relied upon as a sole identifier in the absence of other identifying information (such as a name, address, signature etc). Where the private sector applies such identifiers, the Information Commissioner's Office should be given greater support to enforce the correct and valid processing of this sensitive personal information. Prudent and practical legislation is now essential if we are to provide constitutional protection for privacy for future generations.

  6.2  The majority of the UK citizens have a mobile phone that is a tracking device in its own right since it is permanently emitting a GPS signal. The communication traffic is also stored in a several locations. The European Data Retention Directive is seeking to implement a legal requirement to retain the traffic data (not the content) for a specific period of time in case it is required to assist in the investigation of a crime. BCS believes that the existence of the information does not warrant its utilisation for anything other than a specific purpose for which a Privacy Impact Assessment has been undertaken.

  6.3  In addition, because of the new government emphasis on "a presumption of sharing" and notwithstanding guidance from the DCA, the original collector and owner of personal data should have a duty of care with respect to that data to ensure any organisation sharing it understands any caveat associated with its integrity and appropriateness for use for purposes other than that for which it was originally collected (eg has it been verified or is it interpretation and hearsay, when was it collected and does it have a finite useful life, has it been cleansed).

  6.4  This is particularly important in relation to such things as the proposed summary care record. At present the patient record is held and maintained by the citizen's GP. Once it moves to the spine, it will be possible for other (eg hospital or walk-in-centre clinicians) to add to it. GPs are reluctant to retain responsibility for data added or amended without their having seen the patient and it is unclear who would have guardianship of the integrity and accuracy of the central record.

7.  CONCLUDING REMARKS

  7.1  BCS recognises that no democratic government seeks to undermine civil liberties deliberately through the construction of a surveillance state. However, it is evident that such an outcome arises not due to the deliberate intention of the state, or any private sector body, but rather the failure to prevent the sharing and aggregation of data without suitable privacy safeguards.

  7.2  The issues raised in this paper have been debated by participants at a thought leadership debate, sponsored by BCS Government Relations Group (GRG), in October 2006, with further material from BCS's IPEP[4] in particular. BCS is working in this area and would be very happy to provide further advice to the committee as and when it feels it to be appropriate.

6 June 2007

APPENDIX

DATA SHARING EXAMPLE—DVLA

What data does DVLA hold on citizens and who does it share that data with?

  The DVLA registers hold data included on a driving licence application or renewal, vehicle keepership and on vehicle road tax payments and renewals. The personal data includes: name, date of birth, address, phone number (voluntary), photo, signature, gender, vehicle types individuals are entitled to drive (and record history of each), points on licence, whether disqualified or not.

  So the DVLA holds information on people's identities, notified contact address, vehicles they hold as registered keepers and financial data in respect of their payment of Vehicle Excise Duty. The vehicle keeper data are also available to anyone who has reasonable cause eg wheel clamping companies and insurance companies. This is a statutory requirement and the vehicle keeper is not therefore consulted about access. Currently, the vehicle systems have no functionality that allow this to be logged in an audit trail that can allow keeper review.

  Few citizens would be concerned about the degree of data sharing by DVLA (see the diagram below). However, a series of Government initiatives and law changes could potentially result in sharing this data more widely. DVLA is more likely to become the recipient of data from a wider range of agencies, particularly in respect of authentication of identity (result: fewer fraudulent records) or address change notification (result: citizens would have to notify fewer agencies). These changes include:

    —  MISC31—DCA review of barriers to data sharing—report May 2007.

    —  Review of Information on Criminality—Home Office—January 2007.

    —  Serious Crime Bill.

    —  Criminal Justice Bill—May 2007.

    —  ID Card Bill—2006.

  There is pressure to harmonize this access for motorists and vehicles across the EU. Countries across the EU have very different cultural and legal frameworks, in which interpretations of the basic (European-wide) Data Protection legislation vary. This makes the sharing of data complex. The call for this sharing is as much public (eg foreign vehicles parking in London, avoiding speeding fines) as it is governmental (road safety, crime reduction).

Who does DVLA share Drivers data with now?








1   For example, the Transformational Government Initiative (November 2005) which involves using new technologies to create better services and efficiencies by moving towards a shared services culture. Back

2   Article 8-The right to respect for private and family life, home and correspondence. Back

3   Section 10 of the Data Protection Act 1998. Back

4   The BCS Information Privacy Expert Panel (IPEP) The BCS Information Privacy Expert Panel is responsible for establishing and maintaining the position of the BCS as an independent voice of authority within the field of information privacy. Back


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2009