Examination of Witnesses (Questions 260-279)|
Mr Gareth Crossman, Dr Eric Metcalfe and Dr Gus Hosein
6 FEBRUARY 2008
Q260 Lord Peston: The alternative
view, and I used to be an expert on public good, is that your
approach to this matter brings the right to privacy into disrepute.
Dr Metcalfe: No more so than the right
to refuse medical treatment.
Q261 Lord Peston: I should not really
be arguing with you.
Dr Hosein: I just think we are approaching this
from a slightly wrong perspective. What we are talking about is,
of course, as an individual patient moves around the system, it
would be ideal if his or her medical records followed accordingly.
Instead, what is being designed is a centralised database of all
the medical records of all the people in this country, without
their consent, made accessible across the NHS and other Government
departments to 400,000 different types of civil servants who can
get access to your medical records. That is a design issue, and
that is wrong. If we could design something that made it completely
possible for an individual to carry around say, a medical card
that carries the record from office to office to office and discloses
only what is necessary to that doctor or that hospital, that is
fantastic, but that is not what has ever been considered.
Q262 Baroness O'Cathain: We have
recently had some very good evidence from people dealing with
the DNA database, so what additional legal and ethical safeguards
would you suggest for the national DNA database?
Dr Hosein: I believe all of our organisations
have been involved in the Marpa case as it goes to the
European Court. We submitted a brief to the European Court discussing
some solutions to the current problem. To answer your question
directly, I believe that a complete rethink is required. If I
was forced to come up with a solution for the DNA issue for the
police, it would be to create a database of all the cold caseswith
all the evidence left at scenes of crime over the yearsand
create a DNA database of that. As you arrest and charge people,
you can take DNA to verify against that database, but there is
no need to collect the information arbitrarily based on just being
arrested and retaining it indefinitelyI do not agree with
that. Dr Helen Wallace, who, I believe, has spoken; she is our
adviser on that issue.
Q263 Baroness O'Cathain: Could we
have a copy of your submission to the European Court, because
I do not think we have had that?
Dr Hosein: I am not sure that we are
Q264 Baroness O'Cathain: It just
might help us to concentrate our minds.
Dr Hosein: I would love to and if I can
look into that, I will definitely come back to you.
Mr Crossman: You asked a question about
the legal regime and there are some specific changes that I would
make to the current regime as we have it in order to, in my view,
make the current retention of DNA more proportionate. In recent
years there has been roll-out of the national DNA database so
that permanent retention of DNA samples is allowed from anybody
who is arrested for what is called a "recordable offence".
A recordable offence is an offence which carries a sentence of
imprisonment, even if you do not get sent to prison. So, from
a very minor offence or some other non-imprisonable offences such
as begging, if you are arrested for any of those offences
and actually charged, you can have your DNA permanently retained
until you are 100 years old. There is really no statutory basis
for getting rid of it; that is where the problem lies. It is very
open-ended, it is left to the discretion of individual forces,
who apply it on a rather arbitrary and piecemeal basis. The default
position is not to delete samples of DNA, they only tend to be
deleted when an individual is so bloody-minded about it that they
continue to push and push until in the end the individual police
force gets rid of it. That is not a satisfactory basis.
Q265 Chairman: I have received an
extremely helpful suggestion that if possible Liberty's view of
the DNA database might be sent to us on paper, in the interests
of time marching on.
Mr Crossman: Absolutely. I have passed
a few copies of the report around which probably contains all
the information you need.
Chairman: Could I make a traditional Chairman's
appeal for brevity in answering questions.
Q266 Lord Peston: Again, another
one of the areas where we have had very considerable technical
and technological advances is in tracking people's movements.
I am not very clear on how advanced we are on tracking their movements
domestically but clearly we now know a lot about their movements
across international borders. Is this a major infringement or
potentially a major infringement to individual rights and liberties
and privacy, or is it a minor matter? What is your view on this?
Do we need more safeguards?
Dr Metcalfe: JUSTICE's view is that this
is a very serious matter. I think a lot of passengers to the United
States since 9/11 have perhaps not appreciated how much information
the United States Government has required of them and that has
been passed without their knowledge. There was a recent decision
from the European Union in relation to the extent of the interference
which was found to be disproportionate. Again, the European Union
itself runs a number of very detailed databases, particularly
for anyone entering the Schengen area, a great deal of information
is gained. The Home Office is now rolling out its new border security
network and anyone on a flight to the United Kingdom from any
point in the world is now likely to find themselves flagged and
cross-referenced with the information. There are various systems
that are rolling out, but I think people fail to appreciate when
they travel and, of course, international travel is becoming increasingly
common, exactly how much information can be shared. I think this
is a particular vulnerability because the regulation governing
this is not merely what is governed by the United Kingdom, but
is also governed by international agreements, in particular, agreements
relating to counter-terrorism, and so states are far more willing
to share private and personal sensitive information about travellers
than they would be in relation to, say, their own citizens.
Dr Hosein: I am very grateful to you
for raising this question because out of all the debates anywhere
in the world, the least well-conducted debate is the debate about
borders. As an international traveller there is nowhere on earth
that you have less rights than at the border of another country,
and we are not dealing with that issue. For example, this Government
is moving forward on e-borders. I have spoken to senior members
of every party and they have no idea what the plans are, we do
not pay attention to the plans because we think it applies to
other people. That is exactly why, in the United States, they
are fingerprinting foreigners, the Americans do not seem to be
very concerned, but if they started doing it to Americans, they
would be very concerned; but we do not focus on the other. Passenger
data transfers is a highly controversial issue that we have not
had a debate on in this country which is unfortunate because what
Governments are asking for is not just the passenger manifest,
which is your name, your birth date and the country of your passport,
they are asking for biographical data, such as your preferences,
your previous travel patterns, the type of data that they then
use to make decisions about you. The leading country in this is
the United States, where it has been uncovered, despite laws preventing
this from happening, there is an automated targeting programme
that reviews all this data, much of which is unreliableairlines
admit this data is not reliablethey review this data using
an argument that nobody understands and then flag you to say that
you are a risk, or you are not a risk, or you are 80 per cent
to be a risk, and you have no right to redress in any of these.
This is exactly what is going on in this country; it is exactly
what is going on in Europe.
Q267 Lord Peston: Are you saying
this is a warning or, given the vast amount of data that we are
talking about, is there anybody who could process that data, really
on that scale, accurately? You are talking about enormous amounts
of data and a lot of it is completely casual. I can see warning
it as a threat but are you going further than that?
Dr Hosein: These systems are being developed.
They probably do not work very well. You might have heard of situations
in California about three months ago where the systems crashed
and as a result they stopped admitting people at the airport.
They had to reroute airplanes, they kept people in the terminal
for 14 hours because they were terrified of letting potential
terrorists through because they had become reliant on these systems.
These systems are not reliable and that is why you have no legal
rights in these systems because if you did you would be able to
ask, "What information do you hold on me, may I correct it
please, may I correct my profile?" You may not.
Q268 Lord Peston: But it is really
misuse, often through incompetence, that you are warning about
rather than a more totalitarian fear that we have at this stage,
is that what you are saying? I do not know whether you have been
across the Channel on Eurostar, but it is a really rather casual
business. The idea that this is entering into a database as you
are being waived through, I think seems to me to be slightly exaggerated.
It is something one would worry about but I am surprised you are
saying we are there now.
Dr Hosein: We are there now. Eurostar
is a little bit more innocuous because there are no eating preferences
logged in the databases.
Q269 Lord Peston: Oh, so, do not
eat the food on the train?
Dr Hosein: That is it, indeed. But it
does contain information such as who paid for your ticket, and
that is sensitive to a lot of people. Is the company paying for
your ticket? Is a prospective employer paying for your ticket?
Is the Government paying for your ticket? The Americans are keeping
this data for 40 years; that is their current plan. Why?
Q270 Lord Peston: Can I take you
back to one other thing. Did you sayI was only half listeningthat
the fingerprints, say, mine that were taken in 1952 when I went
to America for the first time to do research, the Americans store
it for 100 years? So my fingerprints are still on record from
all those years ago?
Dr Hosein: Yes, that is right.
Q271 Lord Rowlands: I would like
to come back to more domestic issues. If these reports advocate
new legislation to regulate CCTV cameras, I wonder if you could
briefly outline what kind of legislation is required at the moment
and how would it compare, for example, with the Information Commissioner's
Code of Practice?
Mr Crossman: I am aware that for approximately
80 per cent of my time as Director of Policy at Liberty I am calling
for fewer laws and the rest of the time when speaking about privacy
I usually spend calling for more laws. So, you need to be able
to justify why you are doing so. I think that CCTV is very under
regulated. The Data Protection Act provides a regulatory framework.
In the case of Durrant, which caused all sorts of consternation
about the extent to which different CCTV systems were covered
by the Data Protection Act, which itself is rather creaking at
the seams and is rather outdated. New specific legislation covering
CCTV is needed, which would be drawn very much on the ICO's guidance;
the ICO provides very good guidance. It is very detailed about
where, how and what is the justification for placement of individual
CCTV systems; a very good idea. There is no reason why that cannot
be in statute. The difference being, guidance is guidance, statute
has the capability of enforcement. That would be the template
on which I would base it and when I talk of enforcement, which
is not something you generally do at Liberty to talk about bringing
sanctions, but the ability for civil sanctions to be imposed upon
authorities who fragrantly breach the requirements under the CCTV
legislation, the possibility even of criminal sanction for people
who intentionally misuse CCTV footage with the intention to cause
harm to others. Basically, the Data Protection Act does not provide
the perfect framework, it is a very long way from being the perfect
framework. The ICO and also many local authorities, with the local
government information unit guidance, have provided a very good
basis. It is not a very big job to take that and put that into
the basis of more formal statutory regulation.
Q272 Lord Rowlands: I do not know
if you read the evidence that a senior police officer gave us
a couple of weeks ago on CCTV. The impression that was left, on
me anyway, was that it is incredible the way it has grown like
Topsy and indeed, the vast majority of it is in the private sector
and not the public sector. Do you think it is going to be feasible
to try to construct a piece of statutory legislation that covers
this now huge gamut of existing, let alone future, CCTV provisions?
Can you explain to us the problems of even matching up one kind
of system with another, in delivering useful evidence for a court
case, for example. I would just like to know how you would manage
legislatively to cover that whole world.
Mr Crossman: That does raise another
separate issue which is that you can pass all the laws in the
world but unless they are effectively enforced then it is not
much use. The Information Commissioner's Office does very good
work. They have tried as well as they can to provide appropriate
guidance on CCTV. I think they are very much under funded and
find it very difficult to do the job that they do. I do not see
a significant problem in having an overarching piece of legislation
that applies to both public and private sector.
Q273 Lord Rowlands: The legislation
would apply to retail premises which have a camera?
Mr Crossman: That is exactly what the
Data Protection Act does now. The point I might make about that
is that there is an arguable case for a separate CCTV Commissioner.
Q274 Lord Lyell of Markyate: I agree
with so much of what you say, but I think we are just overwhelmed
with regulation and if every small shop has got to make an application
to a local authority to have the CCTV in its shop -which really
does not worry me one bitI just think you are piling it
on and think you should concentrate on other points. Can you tell
us what benefit would come from this?
Mr Crossman: I do not see any fundamental
change in the structure of the system. At the moment, if you operate
a CCTV system, which falls under the Data Protection Act, you
are supposed to register with the Information Commissioner's office.
I think a lot of people do not, but they are supposed to. I am
not saying that it should be any different, I am not saying that
camera systems like private systems that do not look out and are
not focused on different areas which currently fall out of the
DPA, I am not suggesting that they should be brought in to CCTV
legislation. Essentially, I am not saying that there should be
any change in which cameras are governed, what I am saying is
that there needs to be better regulation. In fact, I think this
would lead to far fewer cameras. The problem we have, particularly
in terms of crime detection is that the systems we have are often
very poor. I used to practice as a criminal lawyer and I know
how poor some of these systems are for evidential purposes. I
think fewer but better systems would be brought in by regulation.
With fewer cameras, the footage they did have might be of better
use in crime detection.
Q275 Lord Rowlands: Did I hear you
say that you wanted a CCTV commissioner?
Mr Crossman: I think it is an idea.
Q276 Lord Rowlands: Normally, you
are wanting to do away with Commissioners not create new ones.
Mr Crossman: I know I am. The reason
I say that slightly guardedly is because I would be loathe to
suggest anything that increases the resource burden on the Information
Commissioner's Office who I believe is very much under-resourced.
Given proper resourcing for his office, I do not see any reason
why he cannot continue in the same way as he regulates the DPA,
to regulate CCTV more generally. That is the reason why I suggested
it, not loading any more work on him.
Dr Metcalfe: Just to reinforce very briefly
the point made by Mr Crossman that you can have all the laws that
you like but enforcement is key. What we find at the moment is
that the Information Commissioner is struggling to cover both
the public and private sectors. In particular, and this is a very
simple point, the Information Commissioner has the power to audit
a private company in relation to their data protection, for example,
but they do not have any power to compel an audit. So they can
request an audit and if the company agrees, the Information Commissioner
can carry out the audit. If the company refuses, then the Information
Commissioner cannot act. That seems to us to be a basic anomaly.
Dr Hosein: CCTV is a great example of
public policy failure in the sense that we do not know how many
cameras there are, we do not know how much they cost, we do not
know how they are actually used, yet we keep on supporting them.
I do not quite understand how that works. I do not understand
how other countries can get by without CCTV cameras or focus on
a specific environment. The Home Office report from last year
said that on anecdotal evidence -and you probably heard this from
the senior policeman you referred to earlier80 per cent
of the images are not of use. So why are we spending money on
all these cameras? It does not add up in the end and I cannot
figure it out. For example, my own council sent me an advertisement
last month which said, "Oh, we are spending more money on
public safety, we have invested £1 million in ten more cameras",
and they say, "some of which will be focused on problem areas".
Well, where are the rest going? And why is their entire policing
budget going into CCTV? Does that local council know the evidence
about CCTV? Has it questioned the effectiveness of CCTV? No, the
politicians and policy makers grab budgets, throw them at CCTV
because the public seems to want it and it seems to be the solution
to a problem that they have not yet quite identified.
Q277 Chairman: Could I move on from
CCTV to wider aspects of the Data Protection Act. Liberty's written
evidence said that the Data Protection Act is not equipped to
cope with mass data processing exercises because, for example,
the requirement that processing should only take place for specified
purposes is weak. Can you say how you think this weakness can
be overcome and the working of the Act improved?
Mr Crossman: I know that time is an issue
here so this subject is covered in a fair amount of detail in
the report which I have handed to you, so I will be quite brief.
The Data Protection Act is a piece of legislation based on the
1995 Directive, which was good for the time but is now showing
the strain of not being able to deal with mass informational sharing,
which ten years ago was pretty much unimaginable. It is not simply
looking at the Data Protection Act, it is looking very much at
the Information Commissioner's powers to take proactive action
to ensure Data Protection compliance. But there are issues, both
over implementation of the DPA, over, for example, the definition
of personal data, where the UK seems to have not applied the definition
of personal data which is contained in the Directive and enforced
by many other countries, which allows data to be franchised out
in a non-DPA compliant way. The Data Protection Act is not an
enforcement or regulatory mechanism, it is an administrative mechanism.
The way it is set up, it says, "This is how things will happen",
but if they do not happen, there is not really much comeback.
Something a little bit more robust is overdue.
Q278 Lord Lyell of Markyate: This
is a very good paper by JUSTICE, if I may say so, particularly
in explaining the role of the common law and the development of
the law. But, how important do you think human rights legislation
and European regulatory frameworks are in safeguarding United
Kingdom citizens from the dangers of surveillance and data collection?
How might this kind of regulation be improved? You point out that
there are many more regulations in Europe, that they approach
things differently. Can you explain it to us?
Dr Metcalfe: We cannot go the European
route, we cannot rework much of our legal system. The European
approach to personal identity is very different, they have the
registration of names, for example, whereas under common law,
you are free to call yourself any name that you choose so long
as you do not commit fraud or deceive another person to obtain
a benefit thereby. We are pretty much stuck with the common law
tradition in the way we enact legislation and the way we interpret
our legislation. The European Convention on Human Rights as an
overarching framework is extremely important in providing a general
principle -the general right to privacyand that is very
valuable. I would also say that European Union law is very helpful,
in particular, the work of the European Data Commissioner in protecting
the privacy rights of individuals in relation to the various information
gathering powers that the European institutions have, particularly
the European Commission, but obviously, more work needs to be
done. There is very limited awarenesscertainly at the public
level but even among Government departmentsof the very
broad reach of European law into our domestic law, particularly
as it relates to privacy. A very good example of this is the information-sharing
agreement between law enforcement databases. It is now going to
be possible for law enforcement data to be passed between European
Union countries, on the basis of mutual recognition, which is
that the information held on the police database will be available
to other police forces throughout the European Union. The concern,
of course, is that we have very strong data protection standards
for the police database, relative to other European countries,
but we cannot say with complete assurance that other European
countries, particularly other accession countries, have quite
the same standards, yet we are prepared to transfer that information.
Dr Hosein: I am not convincedI
am going to be slightly controversialthat the UK Information
Commissioner has ever stopped a problematic surveillance programme
in the way that his colleagues in Europe have. Children are fingerprinted
in schools with the consent of the Information Commissioner in
this country, yet in Ireland and Hong Kong, those practices were
banned. The Greek Commissioner in the past has prevented his Government
from fingerprinting visitors to the country, even during the Olympics,
which was a high security event, and has forced the Government
to remove information held on ID cards. The German Commissioners
regularly force back Government proposals whether it is about
collection of biometrics or advancing surveillance systems. I
have not seen a similar level of activity in this country.
Q279 Viscount Bledisloe: To the layman,
we seem to have an awful lot of Commissioners, we have an Information
Commissioner, a Surveillance Commissioner, an Interception of
Communications Commissioner, an Intelligence Services Commissioner
and now you want a CCTV Commissioner. Is there any scope for a
rationalisation or a centralisation of these functions and do
they on top of that additional powers?
Mr Crossman: In answer to your first
question, absolutely. I would get rid of the system of having
separate offices for the Surveillance Commissioner, Interception
of Communications and Intelligence Services Commissioners because
it is unnecessary. The only reason there are three of them is
because historically we have had these three bodies. We should
get rid of the whole lot and have a single Commissioner responsible
for the oversight of intrusive surveillance currently covered
by RIPA. As I said with the CCTV Commissioner, that was merely
a suggestion in relation to the current powers of the ICO. It
is not about how many commissioners you have, it is about the
powers that they have and the powers to act proactively. Responding
slightly to what Mr Crossman said, the ICO acts within the remit
of his powers. He does not actually have much in the way of power,
so it is not about how many commissioners you have but ensuring
that, especially against public bodies, that is where the difficulty
often lies, it is easy to take action against the shopkeeper but
it is a bit more difficult to take action against a Government
department. Governments do not like franchising out powers to
those who can take action against them. However, I think it is
appropriate that certainly in the case of the ICO and for example
the Identity Card Commissioner, who also lacks sufficient power
in my view, that you have a small number of robust commissioners.