Surveillance: Citizens and the State - Constitution Committee Contents


Examination of Witnesses (Questions 260-279)

Mr Gareth Crossman, Dr Eric Metcalfe and Dr Gus Hosein

6 FEBRUARY 2008

  Q260  Lord Peston: The alternative view, and I used to be an expert on public good, is that your approach to this matter brings the right to privacy into disrepute.

  Dr Metcalfe: No more so than the right to refuse medical treatment.

  Q261  Lord Peston: I should not really be arguing with you.

  Dr Hosein: I just think we are approaching this from a slightly wrong perspective. What we are talking about is, of course, as an individual patient moves around the system, it would be ideal if his or her medical records followed accordingly. Instead, what is being designed is a centralised database of all the medical records of all the people in this country, without their consent, made accessible across the NHS and other Government departments to 400,000 different types of civil servants who can get access to your medical records. That is a design issue, and that is wrong. If we could design something that made it completely possible for an individual to carry around say, a medical card that carries the record from office to office to office and discloses only what is necessary to that doctor or that hospital, that is fantastic, but that is not what has ever been considered.

  Q262  Baroness O'Cathain: We have recently had some very good evidence from people dealing with the DNA database, so what additional legal and ethical safeguards would you suggest for the national DNA database?

  Dr Hosein: I believe all of our organisations have been involved in the Marpa case as it goes to the European Court. We submitted a brief to the European Court discussing some solutions to the current problem. To answer your question directly, I believe that a complete rethink is required. If I was forced to come up with a solution for the DNA issue for the police, it would be to create a database of all the cold cases—with all the evidence left at scenes of crime over the years—and create a DNA database of that. As you arrest and charge people, you can take DNA to verify against that database, but there is no need to collect the information arbitrarily based on just being arrested and retaining it indefinitely—I do not agree with that. Dr Helen Wallace, who, I believe, has spoken; she is our adviser on that issue.

  Q263  Baroness O'Cathain: Could we have a copy of your submission to the European Court, because I do not think we have had that?

  Dr Hosein: I am not sure that we are allowed to.

  Q264  Baroness O'Cathain: It just might help us to concentrate our minds.

  Dr Hosein: I would love to and if I can look into that, I will definitely come back to you.

  Mr Crossman: You asked a question about the legal regime and there are some specific changes that I would make to the current regime as we have it in order to, in my view, make the current retention of DNA more proportionate. In recent years there has been roll-out of the national DNA database so that permanent retention of DNA samples is allowed from anybody who is arrested for what is called a "recordable offence". A recordable offence is an offence which carries a sentence of imprisonment, even if you do not get sent to prison. So, from a very minor offence or some other non-imprisonable offences such as begging, if you are arrested for any of those offences and actually charged, you can have your DNA permanently retained until you are 100 years old. There is really no statutory basis for getting rid of it; that is where the problem lies. It is very open-ended, it is left to the discretion of individual forces, who apply it on a rather arbitrary and piecemeal basis. The default position is not to delete samples of DNA, they only tend to be deleted when an individual is so bloody-minded about it that they continue to push and push until in the end the individual police force gets rid of it. That is not a satisfactory basis.

  Q265  Chairman: I have received an extremely helpful suggestion that if possible Liberty's view of the DNA database might be sent to us on paper, in the interests of time marching on.

  Mr Crossman: Absolutely. I have passed a few copies of the report around which probably contains all the information you need.

  Chairman: Could I make a traditional Chairman's appeal for brevity in answering questions.

  Q266  Lord Peston: Again, another one of the areas where we have had very considerable technical and technological advances is in tracking people's movements. I am not very clear on how advanced we are on tracking their movements domestically but clearly we now know a lot about their movements across international borders. Is this a major infringement or potentially a major infringement to individual rights and liberties and privacy, or is it a minor matter? What is your view on this? Do we need more safeguards?

  Dr Metcalfe: JUSTICE's view is that this is a very serious matter. I think a lot of passengers to the United States since 9/11 have perhaps not appreciated how much information the United States Government has required of them and that has been passed without their knowledge. There was a recent decision from the European Union in relation to the extent of the interference which was found to be disproportionate. Again, the European Union itself runs a number of very detailed databases, particularly for anyone entering the Schengen area, a great deal of information is gained. The Home Office is now rolling out its new border security network and anyone on a flight to the United Kingdom from any point in the world is now likely to find themselves flagged and cross-referenced with the information. There are various systems that are rolling out, but I think people fail to appreciate when they travel and, of course, international travel is becoming increasingly common, exactly how much information can be shared. I think this is a particular vulnerability because the regulation governing this is not merely what is governed by the United Kingdom, but is also governed by international agreements, in particular, agreements relating to counter-terrorism, and so states are far more willing to share private and personal sensitive information about travellers than they would be in relation to, say, their own citizens.

  Dr Hosein: I am very grateful to you for raising this question because out of all the debates anywhere in the world, the least well-conducted debate is the debate about borders. As an international traveller there is nowhere on earth that you have less rights than at the border of another country, and we are not dealing with that issue. For example, this Government is moving forward on e-borders. I have spoken to senior members of every party and they have no idea what the plans are, we do not pay attention to the plans because we think it applies to other people. That is exactly why, in the United States, they are fingerprinting foreigners, the Americans do not seem to be very concerned, but if they started doing it to Americans, they would be very concerned; but we do not focus on the other. Passenger data transfers is a highly controversial issue that we have not had a debate on in this country which is unfortunate because what Governments are asking for is not just the passenger manifest, which is your name, your birth date and the country of your passport, they are asking for biographical data, such as your preferences, your previous travel patterns, the type of data that they then use to make decisions about you. The leading country in this is the United States, where it has been uncovered, despite laws preventing this from happening, there is an automated targeting programme that reviews all this data, much of which is unreliable—airlines admit this data is not reliable—they review this data using an argument that nobody understands and then flag you to say that you are a risk, or you are not a risk, or you are 80 per cent to be a risk, and you have no right to redress in any of these. This is exactly what is going on in this country; it is exactly what is going on in Europe.

  Q267  Lord Peston: Are you saying this is a warning or, given the vast amount of data that we are talking about, is there anybody who could process that data, really on that scale, accurately? You are talking about enormous amounts of data and a lot of it is completely casual. I can see warning it as a threat but are you going further than that?

  Dr Hosein: These systems are being developed. They probably do not work very well. You might have heard of situations in California about three months ago where the systems crashed and as a result they stopped admitting people at the airport. They had to reroute airplanes, they kept people in the terminal for 14 hours because they were terrified of letting potential terrorists through because they had become reliant on these systems. These systems are not reliable and that is why you have no legal rights in these systems because if you did you would be able to ask, "What information do you hold on me, may I correct it please, may I correct my profile?" You may not.

  Q268  Lord Peston: But it is really misuse, often through incompetence, that you are warning about rather than a more totalitarian fear that we have at this stage, is that what you are saying? I do not know whether you have been across the Channel on Eurostar, but it is a really rather casual business. The idea that this is entering into a database as you are being waived through, I think seems to me to be slightly exaggerated. It is something one would worry about but I am surprised you are saying we are there now.

  Dr Hosein: We are there now. Eurostar is a little bit more innocuous because there are no eating preferences logged in the databases.

  Q269  Lord Peston: Oh, so, do not eat the food on the train?

  Dr Hosein: That is it, indeed. But it does contain information such as who paid for your ticket, and that is sensitive to a lot of people. Is the company paying for your ticket? Is a prospective employer paying for your ticket? Is the Government paying for your ticket? The Americans are keeping this data for 40 years; that is their current plan. Why?

  Q270  Lord Peston: Can I take you back to one other thing. Did you say—I was only half listening—that the fingerprints, say, mine that were taken in 1952 when I went to America for the first time to do research, the Americans store it for 100 years? So my fingerprints are still on record from all those years ago?

  Dr Hosein: Yes, that is right.

  Q271  Lord Rowlands: I would like to come back to more domestic issues. If these reports advocate new legislation to regulate CCTV cameras, I wonder if you could briefly outline what kind of legislation is required at the moment and how would it compare, for example, with the Information Commissioner's Code of Practice?

  Mr Crossman: I am aware that for approximately 80 per cent of my time as Director of Policy at Liberty I am calling for fewer laws and the rest of the time when speaking about privacy I usually spend calling for more laws. So, you need to be able to justify why you are doing so. I think that CCTV is very under regulated. The Data Protection Act provides a regulatory framework. In the case of Durrant, which caused all sorts of consternation about the extent to which different CCTV systems were covered by the Data Protection Act, which itself is rather creaking at the seams and is rather outdated. New specific legislation covering CCTV is needed, which would be drawn very much on the ICO's guidance; the ICO provides very good guidance. It is very detailed about where, how and what is the justification for placement of individual CCTV systems; a very good idea. There is no reason why that cannot be in statute. The difference being, guidance is guidance, statute has the capability of enforcement. That would be the template on which I would base it and when I talk of enforcement, which is not something you generally do at Liberty to talk about bringing sanctions, but the ability for civil sanctions to be imposed upon authorities who fragrantly breach the requirements under the CCTV legislation, the possibility even of criminal sanction for people who intentionally misuse CCTV footage with the intention to cause harm to others. Basically, the Data Protection Act does not provide the perfect framework, it is a very long way from being the perfect framework. The ICO and also many local authorities, with the local government information unit guidance, have provided a very good basis. It is not a very big job to take that and put that into the basis of more formal statutory regulation.

  Q272  Lord Rowlands: I do not know if you read the evidence that a senior police officer gave us a couple of weeks ago on CCTV. The impression that was left, on me anyway, was that it is incredible the way it has grown like Topsy and indeed, the vast majority of it is in the private sector and not the public sector. Do you think it is going to be feasible to try to construct a piece of statutory legislation that covers this now huge gamut of existing, let alone future, CCTV provisions? Can you explain to us the problems of even matching up one kind of system with another, in delivering useful evidence for a court case, for example. I would just like to know how you would manage legislatively to cover that whole world.

  Mr Crossman: That does raise another separate issue which is that you can pass all the laws in the world but unless they are effectively enforced then it is not much use. The Information Commissioner's Office does very good work. They have tried as well as they can to provide appropriate guidance on CCTV. I think they are very much under funded and find it very difficult to do the job that they do. I do not see a significant problem in having an overarching piece of legislation that applies to both public and private sector.

  Q273  Lord Rowlands: The legislation would apply to retail premises which have a camera?

  Mr Crossman: That is exactly what the Data Protection Act does now. The point I might make about that is that there is an arguable case for a separate CCTV Commissioner.

  Q274  Lord Lyell of Markyate: I agree with so much of what you say, but I think we are just overwhelmed with regulation and if every small shop has got to make an application to a local authority to have the CCTV in its shop -which really does not worry me one bit—I just think you are piling it on and think you should concentrate on other points. Can you tell us what benefit would come from this?

  Mr Crossman: I do not see any fundamental change in the structure of the system. At the moment, if you operate a CCTV system, which falls under the Data Protection Act, you are supposed to register with the Information Commissioner's office. I think a lot of people do not, but they are supposed to. I am not saying that it should be any different, I am not saying that camera systems like private systems that do not look out and are not focused on different areas which currently fall out of the DPA, I am not suggesting that they should be brought in to CCTV legislation. Essentially, I am not saying that there should be any change in which cameras are governed, what I am saying is that there needs to be better regulation. In fact, I think this would lead to far fewer cameras. The problem we have, particularly in terms of crime detection is that the systems we have are often very poor. I used to practice as a criminal lawyer and I know how poor some of these systems are for evidential purposes. I think fewer but better systems would be brought in by regulation. With fewer cameras, the footage they did have might be of better use in crime detection.

  Q275  Lord Rowlands: Did I hear you say that you wanted a CCTV commissioner?

  Mr Crossman: I think it is an idea.

  Q276  Lord Rowlands: Normally, you are wanting to do away with Commissioners not create new ones.

  Mr Crossman: I know I am. The reason I say that slightly guardedly is because I would be loathe to suggest anything that increases the resource burden on the Information Commissioner's Office who I believe is very much under-resourced. Given proper resourcing for his office, I do not see any reason why he cannot continue in the same way as he regulates the DPA, to regulate CCTV more generally. That is the reason why I suggested it, not loading any more work on him.

  Dr Metcalfe: Just to reinforce very briefly the point made by Mr Crossman that you can have all the laws that you like but enforcement is key. What we find at the moment is that the Information Commissioner is struggling to cover both the public and private sectors. In particular, and this is a very simple point, the Information Commissioner has the power to audit a private company in relation to their data protection, for example, but they do not have any power to compel an audit. So they can request an audit and if the company agrees, the Information Commissioner can carry out the audit. If the company refuses, then the Information Commissioner cannot act. That seems to us to be a basic anomaly.

  Dr Hosein: CCTV is a great example of public policy failure in the sense that we do not know how many cameras there are, we do not know how much they cost, we do not know how they are actually used, yet we keep on supporting them. I do not quite understand how that works. I do not understand how other countries can get by without CCTV cameras or focus on a specific environment. The Home Office report from last year said that on anecdotal evidence -and you probably heard this from the senior policeman you referred to earlier—80 per cent of the images are not of use. So why are we spending money on all these cameras? It does not add up in the end and I cannot figure it out. For example, my own council sent me an advertisement last month which said, "Oh, we are spending more money on public safety, we have invested £1 million in ten more cameras", and they say, "some of which will be focused on problem areas". Well, where are the rest going? And why is their entire policing budget going into CCTV? Does that local council know the evidence about CCTV? Has it questioned the effectiveness of CCTV? No, the politicians and policy makers grab budgets, throw them at CCTV because the public seems to want it and it seems to be the solution to a problem that they have not yet quite identified.

  Q277  Chairman: Could I move on from CCTV to wider aspects of the Data Protection Act. Liberty's written evidence said that the Data Protection Act is not equipped to cope with mass data processing exercises because, for example, the requirement that processing should only take place for specified purposes is weak. Can you say how you think this weakness can be overcome and the working of the Act improved?

  Mr Crossman: I know that time is an issue here so this subject is covered in a fair amount of detail in the report which I have handed to you, so I will be quite brief. The Data Protection Act is a piece of legislation based on the 1995 Directive, which was good for the time but is now showing the strain of not being able to deal with mass informational sharing, which ten years ago was pretty much unimaginable. It is not simply looking at the Data Protection Act, it is looking very much at the Information Commissioner's powers to take proactive action to ensure Data Protection compliance. But there are issues, both over implementation of the DPA, over, for example, the definition of personal data, where the UK seems to have not applied the definition of personal data which is contained in the Directive and enforced by many other countries, which allows data to be franchised out in a non-DPA compliant way. The Data Protection Act is not an enforcement or regulatory mechanism, it is an administrative mechanism. The way it is set up, it says, "This is how things will happen", but if they do not happen, there is not really much comeback. Something a little bit more robust is overdue.

  Q278  Lord Lyell of Markyate: This is a very good paper by JUSTICE, if I may say so, particularly in explaining the role of the common law and the development of the law. But, how important do you think human rights legislation and European regulatory frameworks are in safeguarding United Kingdom citizens from the dangers of surveillance and data collection? How might this kind of regulation be improved? You point out that there are many more regulations in Europe, that they approach things differently. Can you explain it to us?

  Dr Metcalfe: We cannot go the European route, we cannot rework much of our legal system. The European approach to personal identity is very different, they have the registration of names, for example, whereas under common law, you are free to call yourself any name that you choose so long as you do not commit fraud or deceive another person to obtain a benefit thereby. We are pretty much stuck with the common law tradition in the way we enact legislation and the way we interpret our legislation. The European Convention on Human Rights as an overarching framework is extremely important in providing a general principle -the general right to privacy—and that is very valuable. I would also say that European Union law is very helpful, in particular, the work of the European Data Commissioner in protecting the privacy rights of individuals in relation to the various information gathering powers that the European institutions have, particularly the European Commission, but obviously, more work needs to be done. There is very limited awareness—certainly at the public level but even among Government departments—of the very broad reach of European law into our domestic law, particularly as it relates to privacy. A very good example of this is the information-sharing agreement between law enforcement databases. It is now going to be possible for law enforcement data to be passed between European Union countries, on the basis of mutual recognition, which is that the information held on the police database will be available to other police forces throughout the European Union. The concern, of course, is that we have very strong data protection standards for the police database, relative to other European countries, but we cannot say with complete assurance that other European countries, particularly other accession countries, have quite the same standards, yet we are prepared to transfer that information.

  Dr Hosein: I am not convinced—I am going to be slightly controversial—that the UK Information Commissioner has ever stopped a problematic surveillance programme in the way that his colleagues in Europe have. Children are fingerprinted in schools with the consent of the Information Commissioner in this country, yet in Ireland and Hong Kong, those practices were banned. The Greek Commissioner in the past has prevented his Government from fingerprinting visitors to the country, even during the Olympics, which was a high security event, and has forced the Government to remove information held on ID cards. The German Commissioners regularly force back Government proposals whether it is about collection of biometrics or advancing surveillance systems. I have not seen a similar level of activity in this country.

  Q279  Viscount Bledisloe: To the layman, we seem to have an awful lot of Commissioners, we have an Information Commissioner, a Surveillance Commissioner, an Interception of Communications Commissioner, an Intelligence Services Commissioner and now you want a CCTV Commissioner. Is there any scope for a rationalisation or a centralisation of these functions and do they on top of that additional powers?

  Mr Crossman: In answer to your first question, absolutely. I would get rid of the system of having separate offices for the Surveillance Commissioner, Interception of Communications and Intelligence Services Commissioners because it is unnecessary. The only reason there are three of them is because historically we have had these three bodies. We should get rid of the whole lot and have a single Commissioner responsible for the oversight of intrusive surveillance currently covered by RIPA. As I said with the CCTV Commissioner, that was merely a suggestion in relation to the current powers of the ICO. It is not about how many commissioners you have, it is about the powers that they have and the powers to act proactively. Responding slightly to what Mr Crossman said, the ICO acts within the remit of his powers. He does not actually have much in the way of power, so it is not about how many commissioners you have but ensuring that, especially against public bodies, that is where the difficulty often lies, it is easy to take action against the shopkeeper but it is a bit more difficult to take action against a Government department. Governments do not like franchising out powers to those who can take action against them. However, I think it is appropriate that certainly in the case of the ICO and for example the Identity Card Commissioner, who also lacks sufficient power in my view, that you have a small number of robust commissioners.


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2009